AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2025-1944: picklescan before 0.0.23 is vulnerable to a ZIP archive manipulation attack that causes it to crash when attempting to e

mediumvulnerability

security

Source: NVD/CVE DatabaseMarch 10, 2025CVE-2025-1944

Summary

picklescan before version 0.0.23 has a vulnerability where an attacker can manipulate a ZIP archive (a compressed file format) by changing filenames in the ZIP header while keeping the original filename in the directory listing. This causes picklescan to crash with a BadZipFile error when trying to scan PyTorch model files (machine learning models), but PyTorch's more forgiving ZIP handler still loads the model anyway, allowing malicious code to bypass the security scanner.

Solution / Mitigation

Upgrade picklescan to version 0.0.23 or later. The patch is available at https://github.com/mmaitre314/picklescan/commit/e58e45e0d9e091159c1554f9b04828bbb40b9781.

Vulnerability Details

CVSS Score

6.5(medium)

EPSS (30-day exploit probability)

EPSS: 0.1%

Classification

Attack Type

Model Theft

Attack SophisticationModerate

Impact (CIA+S)

integrity

AI Component TargetedModel

Taxonomy References

CWE (Weakness Type)

CWE-345

Affected Vendors

Related Issues

high

Anthropic accuses Chinese AI labs of mining Claude as US debates AI chip exports

Similar attackTechCrunch

high

CVE-2026-24747: PyTorch is a Python package that provides tensor computation. Prior to version 2.10.0, a vulnerability in PyTorch's `wei

First tracked: February 15, 2026 at 08:37 PM

Classified by LLM (prompt v3) · confidence: 85%