AI Scanners Under Fire After Three Critical PickleScan Zero-Days Shake PyTorch Security

Listen to this Post

Featured Image

A Silent Threat Rising Inside the AI Supply Chain

The security walls guarding modern machine learning systems have always begun with one foundation, the AI model scanner. These scanners were designed to sift through serialized model files, expose hidden threats, and block malicious actors before they reached production environments. Yet recent discoveries reveal that one of the most trusted defenses in the industry, PickleScan, contains severe blind spots. Three zero-day vulnerabilities, all rated critical, have created a silent pathway for attackers to smuggle malicious PyTorch models into platforms used by millions. For a community already racing to secure fast-moving AI pipelines, this revelation carries unsettling consequences.

Summary Of The Original Report

The Hidden Weakness Inside AI Model Scanning

AI model scanning has long been viewed as the first gateway in ML security. It is meant to catch suspicious operations inside machine learning models before those models ever meet production systems or user environments.

Three Zero-Days Turn Trust Into Liability

Researchers at JFrog Security uncovered three previously unknown vulnerabilities in PickleScan, the popular tool used to analyze PyTorch model files. Each flaw allowed attackers to bypass malware detection and distribute compromised models without being detected.

A Direct Route To Arbitrary Code Execution

Once victims load these tampered models, the embedded code executes automatically. This can steal data, install backdoors, or enable remote compromise. Because model loading is routine across research labs and enterprises, the threat radius becomes enormous.

PyTorch’s Serialization Problem

The core issue stems from how PyTorch relies on Python’s pickle format. Pickle can execute arbitrary Python code during deserialization. Attackers exploit this flexibility by hiding malicious scripts within what appear to be standard model files.

Massive Attack Surface Across The AI Ecosystem

With well over two hundred thousand PyTorch models publicly available on Hugging Face, and many more distributed internally within companies, millions of machines are exposed if malicious files bypass scanners.

PickleScan’s Trusted Role Comes Into Question

PickleScan became the de facto safety tool because it parses pickle bytecode to detect unsafe actions. However, JFrog’s findings reveal that the tool itself has blind spots that attackers can exploit.

The First Vulnerability, File Extension Bypass

CVE-2025-10155 allows attackers to rename malicious pickle files using different extensions like .pt or .bin. PickleScan ignores them, but PyTorch loads them anyway.

CRC Manipulation Opens Second Attack Vector

CVE-2025-10156 introduces CRC errors inside ZIP archives. PickleScan crashes, but PyTorch ignores the errors and still loads the model.

Global Subclass Trick Creates The Third Flaw

CVE-2025-10157 exploits how Python imports module subclasses. Attackers use dangerous subclasses instead of banned module names, slipping past blacklist detection.

A Systemic Weak Link In AI Security

With all three vulnerabilities rated critical, the attacks threaten not just individual systems but the foundational infrastructure used across AI organizations worldwide.

The Single Point Of Failure Problem

Because so many companies rely on PickleScan, any attacker bypassing it gains access to platforms that trust the scanner’s verdict.

Security Tools Must Not Process Files Differently

The research highlights a core principle, security tools must interpret files the same way the underlying application does. Any mismatch creates attackable gaps.

Malicious Models Could Spread At Scale

If exploited, these vulnerabilities allow malicious models to appear legitimate on major repositories, enabling widespread supply chain attacks.

A Call For Layered Defense Strategies

Organizations must move beyond single-point protections and adopt multi-layer scanning, sandboxed environments, safer serialization formats, and updated tools.

Updated PickleScan Version And Safer Alternatives

Security teams are urged to install PickleScan version 0.0.31, transition toward the Safetensors format, and isolate model loading.

A Changed Landscape For AI Security

The discoveries reshape how the industry views defensive tools. What was once “safe enough” can no longer be trusted as the front line against AI threats.

What Undercode Say:

Why These Flaws Are More Dangerous Than They Look

The most concerning detail about these vulnerabilities is not the technical execution but the timing. AI adoption is soaring in enterprises, yet the security maturity of these environments has not kept pace. When foundational tools like PickleScan fail, attackers gain a window where defenders are completely blind.

The Psychology Of Trust In AI Pipelines

Developers trust model scanners because they simplify complex tasks. When that trust becomes automated, it turns into vulnerability. Teams rarely question whether the scanner itself might be flawed.

Supply Chain Attacks Thrive On Assumptions

The AI supply chain mirrors the software supply chain crisis that hit open-source ecosystems years ago. Attackers exploit assumptions, not systems. When everyone assumes a model is safe because a tool scanned it, attackers win.

Model Files Are Becoming New Malware Carriers

This incident confirms that AI models are now malware distribution vehicles. They carry logic, parameters, and increasingly, hidden code. Traditional security tools do not fully understand this structure.

File Extension Blindness Should Have Been Expected

The first flaw, allowing attackers to hide malicious files behind renamed extensions, exposes how rigid and outdated many scanning strategies still are. Security cannot rely on extensions in an era of complex binary formats.

CRC Bypass Shows A Cat-And-Mouse Pattern

The ability to crash scanners using corrupt CRC data is a classic attacker move. When PickleScan fails open instead of failing closed, it becomes an ideal target. PyTorch’s willingness to load corrupted archives further widens the gap.

Subclass Import Bypass Reveals Deeper Architectural Issues

Blacklist approaches to security rarely hold up. Attackers modify class names or inheritance structures and slip past filters. This flaw is a reminder that secure-by-design principles must replace reactive patching.

AI Platforms Are Not Prepared For Model-Based Malware

Hugging Face and similar platforms store hundreds of thousands of models. Yet many do not enforce strict scanning, sandboxing, or dependency isolation. A single malicious upload can affect thousands.

Enterprises Often Download Without Verification

In fast-moving environments, teams fetch models directly from repositories. Without checksum verification or sandboxed deserialization, they risk direct compromise.

The Industry Must Move Toward Zero-Trust AI Pipelines

Zero-trust security in AI means no model should be trusted until proven safe under controlled, isolated execution. Today’s pipelines operate in the opposite direction.

Safer Formats Are An Important Bridge, Not A Final Answer

Tools like Safetensors remove executable code from model files, reducing many risks. Yet attackers may eventually find creative ways to exploit even structured formats. Defense must be layered, not singular.

Model Loading Sandboxes Should Become Mandatory

Every significant AI platform should adopt sandboxed deserialization. Running arbitrary Python code during model load is simply too dangerous to leave unrestricted.

The Real Lesson, Security Tools Must Mirror Runtime Behavior

If PyTorch loads a file differently than PickleScan analyzes it, attackers exploit the discrepancy. Security and runtime logic must operate under identical assumptions.

🔍 Fact Checker Results

Each CVE is rated critical with a CVSS score of 9.3. ✅

PyTorch does load files ignored or crashed by PickleScan. ✅

PickleScan version 0.0.31 contains the official patches. ✅

📊 Prediction

AI model malware will grow rapidly in 2025 as attackers target serialized formats. 🔮
Repository platforms will implement mandatory sandboxing and multi-layer scanning. 🛡️
Safer formats like Safetensors will become industry defaults over pickle-based models. 📈

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.medium.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon