{"data":{"id":"d2c40adf-40dc-462f-b53f-0ab9d1f42ecb","title":"CVE-2025-1945: picklescan before 0.0.23 fails to detect malicious pickle files inside PyTorch model archives when certain ZIP file flag","summary":"picklescan before version 0.0.23 can be tricked into missing malicious pickle files (serialized Python objects) hidden inside PyTorch model archives by modifying certain bits in ZIP file headers. An attacker can use this technique to embed code that runs automatically when someone loads the model with PyTorch, potentially taking over the user's system.","solution":"Upgrade picklescan to version 0.0.23 or later. The fix is available in commit e58e45e0d9e091159c1554f9b04828bbb40b9781 at https://github.com/mmaitre314/picklescan/commit/e58e45e0d9e091159c1554f9b04828bbb40b9781","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2025-1945","publishedAt":"2025-03-10T16:15:12.450Z","cveId":"CVE-2025-1945","cweIds":["CWE-345"],"cvssScore":"9.8","cvssSeverity":"critical","severity":"critical","attackType":["model_theft","supply_chain"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["NVIDIA"],"affectedVendorsRaw":["PyTorch","PickleScan"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.00312,"patchAvailable":null,"disclosureDate":null,"capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality"],"aiComponentTargeted":"model","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}