CVE-2025-1889: 
Python vulnerability analysis and mitigation

CVE-2025-1889 affects picklescan versions before 0.0.22, where the tool only considers standard pickle file extensions in its vulnerability scanning scope. The vulnerability was discovered by Sonatype and disclosed on March 3, 2025. This security flaw impacts organizations and individuals using picklescan to detect malicious pickle files inside PyTorch models (Sonatype Blog, NVD).

The vulnerability stems from picklescan's reliance on file extensions for identifying pickle files. PyTorch allows specifying alternative pickle files inside a model archive using the pickle_file parameter when calling torch.load(). This enables attackers to embed malicious pickle files with non-standard extensions (e.g., config.p) inside the model while keeping the primary data.pkl file benign. The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) and a CVSS v4.0 score of 5.3 (MEDIUM) (NVD, Sonatype Advisory).

When exploited, this vulnerability allows attackers to bypass security checks by embedding malicious code in PyTorch models that remains undetected but executes when the model is loaded. This is particularly concerning as PyTorch models are widely shared in ML repositories and organizations, making it a potential supply-chain attack vector. The vulnerability could be exploited in supply chain attacks, potentially backdooring pre-trained models distributed via repositories like Hugging Face or PyTorch Hub (Sonatype Advisory).

The vulnerability has been fixed in picklescan version 0.0.22. Recommended mitigations include scanning all files in ZIP archives regardless of extension, detecting hidden pickle references through static analysis of torch.load(pickle_file=...) calls, implementing magic byte detection instead of relying on extensions, and blocking specific globals like torch.load and functools.partial (Sonatype Advisory).