Listen to this Post

A Silent Threat Rising Inside the AI Supply Chain
The security walls guarding modern machine learning systems have always begun with one foundation, the AI model scanner. These scanners were designed to sift through serialized model files, expose hidden threats, and block malicious actors before they reached production environments. Yet recent discoveries reveal that one of the most trusted defenses in the industry, PickleScan, contains severe blind spots. Three zero-day vulnerabilities, all rated critical, have created a silent pathway for attackers to smuggle malicious PyTorch models into platforms used by millions. For a community already racing to secure fast-moving AI pipelines, this revelation carries unsettling consequences.
Summary Of The Original Report
The Hidden Weakness Inside AI Model Scanning
AI model scanning has long been viewed as the first gateway in ML security. It is meant to catch suspicious operations inside machine learning models before those models ever meet production systems or user environments.
Three Zero-Days Turn Trust Into Liability
Researchers at JFrog Security uncovered three previously unknown vulnerabilities in PickleScan, the popular tool used to analyze PyTorch model files. Each flaw allowed attackers to bypass malware detection and distribute compromised models without being detected.
A Direct Route To Arbitrary Code Execution
Once victims load these tampered models, the embedded code executes automatically. This can steal data, install backdoors, or enable remote compromise. Because model loading is routine across research labs and enterprises, the threat radius becomes enormous.
PyTorch’s Serialization Problem
The core issue stems from how PyTorch relies on Python’s pickle format. Pickle can execute arbitrary Python code during deserialization. Attackers exploit this flexibility by hiding malicious scripts within what appear to be standard model files.
Massive Attack Surface Across The AI Ecosystem
With well over two hundred thousand PyTorch models publicly available on Hugging Face, and many more distributed internally within companies, millions of machines are exposed if malicious files bypass scanners.
PickleScan’s Trusted Role Comes Into Question
PickleScan became the de facto safety tool because it parses pickle bytecode to detect unsafe actions. However, JFrog’s findings reveal that the tool itself has blind spots that attackers can exploit.
The First Vulnerability, File Extension Bypass
CVE-2025-10155 allows attackers to rename malicious pickle files using different extensions like .pt or .bin. PickleScan ignores them, but PyTorch loads them anyway.
CRC Manipulation Opens Second Attack Vector
CVE-2025-10156 introduces CRC errors inside ZIP archives. PickleScan crashes, but PyTorch ignores the errors and still loads the model.
Global Subclass Trick Creates The Third Flaw
CVE-2025-10157 exploits how Python imports module subclasses. Attackers use dangerous subclasses instead of banned module names, slipping past blacklist detection.
A Systemic Weak Link In AI Security
With all three vulnerabilities rated critical, the attacks threaten not just individual systems but the foundational infrastructure used across AI organizations worldwide.
The Single Point Of Failure Problem
Because so many companies rely on PickleScan, any attacker bypassing it gains access to platforms that trust the scanner’s verdict.
Security Tools Must Not Process Files Differently
The research highlights a core principle, security tools must interpret files the same way the underlying application does. Any mismatch creates attackable gaps.
Malicious Models Could Spread At Scale
If exploited, these vulnerabilities allow malicious models to appear legitimate on major repositories, enabling widespread supply chain attacks.
A Call For Layered Defense Strategies
Organizations must move beyond single-point protections and adopt multi-layer scanning, sandboxed environments, safer serialization formats, and updated tools.
Updated PickleScan Version And Safer Alternatives
Security teams are urged to install PickleScan version 0.0.31, transition toward the Safetensors format, and isolate model loading.
A Changed Landscape For AI Security
The discoveries reshape how the industry views defensive tools. What was once “safe enough” can no longer be trusted as the front line against AI threats.
What Undercode Say:
Why These Flaws Are More Dangerous Than They Look
The most concerning detail about these vulnerabilities is not the technical execution but the timing. AI adoption is soaring in enterprises, yet the security maturity of these environments has not kept pace. When foundational tools like PickleScan fail, attackers gain a window where defenders are completely blind.
The Psychology Of Trust In AI Pipelines
Developers trust model scanners because they simplify complex tasks. When that trust becomes automated, it turns into vulnerability. Teams rarely question whether the scanner itself might be flawed.
Supply Chain Attacks Thrive On Assumptions
The AI supply chain mirrors the software supply chain crisis that hit open-source ecosystems years ago. Attackers exploit assumptions, not systems. When everyone assumes a model is safe because a tool scanned it, attackers win.
Model Files Are Becoming New Malware Carriers
This incident confirms that AI models are now malware distribution vehicles. They carry logic, parameters, and increasingly, hidden code. Traditional security tools do not fully understand this structure.
File Extension Blindness Should Have Been Expected
The first flaw, allowing attackers to hide malicious files behind renamed extensions, exposes how rigid and outdated many scanning strategies still are. Security cannot rely on extensions in an era of complex binary formats.
CRC Bypass Shows A Cat-And-Mouse Pattern
The ability to crash scanners using corrupt CRC data is a classic attacker move. When PickleScan fails open instead of failing closed, it becomes an ideal target. PyTorch’s willingness to load corrupted archives further widens the gap.
Subclass Import Bypass Reveals Deeper Architectural Issues
Blacklist approaches to security rarely hold up. Attackers modify class names or inheritance structures and slip past filters. This flaw is a reminder that secure-by-design principles must replace reactive patching.
AI Platforms Are Not Prepared For Model-Based Malware
Hugging Face and similar platforms store hundreds of thousands of models. Yet many do not enforce strict scanning, sandboxing, or dependency isolation. A single malicious upload can affect thousands.
Enterprises Often Download Without Verification
In fast-moving environments, teams fetch models directly from repositories. Without checksum verification or sandboxed deserialization, they risk direct compromise.
The Industry Must Move Toward Zero-Trust AI Pipelines
Zero-trust security in AI means no model should be trusted until proven safe under controlled, isolated execution. Today’s pipelines operate in the opposite direction.
Safer Formats Are An Important Bridge, Not A Final Answer
Tools like Safetensors remove executable code from model files, reducing many risks. Yet attackers may eventually find creative ways to exploit even structured formats. Defense must be layered, not singular.
Model Loading Sandboxes Should Become Mandatory
Every significant AI platform should adopt sandboxed deserialization. Running arbitrary Python code during model load is simply too dangerous to leave unrestricted.
The Real Lesson, Security Tools Must Mirror Runtime Behavior
If PyTorch loads a file differently than PickleScan analyzes it, attackers exploit the discrepancy. Security and runtime logic must operate under identical assumptions.
🔍 Fact Checker Results
Each CVE is rated critical with a CVSS score of 9.3. ✅
PyTorch does load files ignored or crashed by PickleScan. ✅
PickleScan version 0.0.31 contains the official patches. ✅
📊 Prediction
AI model malware will grow rapidly in 2025 as attackers target serialized formats. 🔮
Repository platforms will implement mandatory sandboxing and multi-layer scanning. 🛡️
Safer formats like Safetensors will become industry defaults over pickle-based models. 📈
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.medium.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




