AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2025-1945: picklescan before 0.0.23 fails to detect malicious pickle files inside PyTorch model archives when certain ZIP file flag

criticalvulnerability

security

Source: NVD/CVE DatabaseMarch 10, 2025CVE-2025-1945

Summary

picklescan before version 0.0.23 can be tricked into missing malicious pickle files (serialized Python objects) hidden inside PyTorch model archives by modifying certain bits in ZIP file headers. An attacker can use this technique to embed code that runs automatically when someone loads the model with PyTorch, potentially taking over the user's system.

Solution / Mitigation

Upgrade picklescan to version 0.0.23 or later. The fix is available in commit e58e45e0d9e091159c1554f9b04828bbb40b9781 at https://github.com/mmaitre314/picklescan/commit/e58e45e0d9e091159c1554f9b04828bbb40b9781

Vulnerability Details

CVSS Score

9.8(critical)

EPSS (30-day exploit probability)

EPSS: 0.3%

Classification

Attack Type

Model TheftSupply Chain

Attack SophisticationModerate

Impact (CIA+S)

integrity

Taxonomy References

CWE (Weakness Type)

CWE-345

Affected Vendors

NVIDIA

Related Issues

high

Anthropic accuses Chinese AI labs of mining Claude as US debates AI chip exports

Similar attackTechCrunch

high

CVE-2026-24747: PyTorch is a Python package that provides tensor computation. Prior to version 2.10.0, a vulnerability in PyTorch's `wei

First tracked: February 15, 2026 at 08:37 PM

Classified by LLM (prompt v3) · confidence: 92%