CVE-2025-1945: 
Python vulnerability analysis and mitigation

CVE-2025-1945 affects picklescan versions before 0.0.23, where the tool fails to detect malicious pickle files inside PyTorch model archives when certain ZIP file flag bits are modified. The vulnerability was discovered in March 2025 and allows attackers to bypass security checks by manipulating ZIP file headers while maintaining model functionality with PyTorch's torch.load() (NVD, Sonatype Blog).

The vulnerability exploits picklescan's reliance on Python's zipfile module for extracting and scanning files within ZIP-based model archives. By modifying the flag_bits field in the ZIP file entry (e.g., bits 0x1, 0x20, or 0x40), attackers can cause picklescan to fail while PyTorch's more forgiving ZIP implementation still successfully loads the model. The vulnerability has received a CVSS v4.0 base score of 5.3 (Medium) with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L (GitHub Advisory, Sonatype CVE).

The vulnerability affects any organization or user relying on picklescan to detect malicious pickle files inside PyTorch models. Attackers can embed malicious pickle payloads inside PyTorch models that evade picklescan's detection but still execute upon loading. This could be exploited in machine learning supply chain attacks, enabling the distribution of backdoored models on platforms like Hugging Face or PyTorch Hub (GitHub Advisory).

The vulnerability has been fixed in picklescan version 0.0.23. The fix includes improvements to ZIP handling with a more relaxed ZIP parser that continues processing when encountering modified flag bits, and ensures that files with altered metadata are still extracted and analyzed. Users are advised to upgrade to version 0.0.23 or later (GitHub Advisory).