Critical Zero-Day Vulnerabilities Expose PickleScan to Malicious Model Attacks

Introduction

Cybersecurity researchers have uncovered three severe zero-day vulnerabilities in PickleScan, a widely used tool for scanning Python pickle files and PyTorch models. These flaws, each rated 9.3 on the CVSS scale, could allow attackers to bypass scanning protections and deploy malicious machine learning models without detection. The findings, released by the JFrog Security Research Team on 2 December 2025, expose systemic weaknesses in AI supply chain security, emphasizing the dangers of relying on single-layer scanning tools and misaligned file-handling practices.

Three Critical Flaws in PickleScan

The first flaw, CVE-2025-10155, exploits a file extension bypass. Researchers discovered that renaming a malicious pickle file to a common PyTorch extension, such as .bin or .pt, caused PickleScan to misidentify the file type. The scanner prioritized the file extension over content analysis, resulting in a failed security scan while PyTorch still executed the malicious file.

The second vulnerability, CVE-2025-10156, revealed a mismatch between PickleScan and PyTorch in processing ZIP archives. PickleScan relied on Python’s zipfile module, which would raise errors when encountering CRC mismatches. PyTorch ignored these CRC errors, meaning a corrupted archive with malicious payloads could still load successfully. Researchers demonstrated that zeroing CRC values allowed models to bypass PickleScan, creating a critical blind spot for attackers.

The third flaw, CVE-2025-10157, allowed evasion of

Systemic Risks and Supply Chain Implications

These vulnerabilities underline key systemic risks: reliance on a single scanning tool, inconsistencies between security scanners and ML frameworks, and the potential for large-scale supply chain attacks targeting major model hubs. The flaws were disclosed to PickleScan maintainers on 29 June 2025 and patched in version 0.0.31 on 2 September 2025. JFrog advised users to update immediately, adopt layered defenses, and transition to safer model formats such as Safetensors to reduce exposure.

What Undercode Say:

The PickleScan vulnerabilities highlight a critical misalignment in AI security practices. Scanners that focus primarily on file extensions or conventional content checks are increasingly inadequate against sophisticated attacks targeting ML pipelines. Attackers are exploiting inherent discrepancies between security tools and framework behavior, particularly in deserialization processes and archive handling. This indicates that security must extend beyond individual tools to embrace holistic, multi-layered approaches.

From an operational perspective, the flaws demonstrate the dangers of trust assumptions in the AI supply chain. Machine learning frameworks like PyTorch prioritize functionality and flexibility, which can inadvertently bypass security safeguards. When coupled with centralized model repositories, this creates a high-value attack surface for supply chain exploitation. In practice, organizations cannot rely solely on scanners like PickleScan; layered security measures, rigorous file integrity checks, and sandboxing are essential to prevent undetected malicious payloads.

Additionally, the specific flaws reveal how attackers can manipulate object serialization and module inheritance to evade detection. This is particularly concerning for enterprise AI deployments, where malicious models could execute arbitrary commands on critical infrastructure. The fact that these flaws were discovered months before being patched also highlights a delay risk: even responsible disclosure cannot immediately prevent potential exploitation.

The advisory’s recommendation to adopt Safetensors over pickles is significant. Safetensors are inherently safer due to strict serialization rules and immutability, reducing the attack surface for malicious payloads. Organizations should prioritize migration to such secure formats while maintaining auditability and integrity monitoring. Furthermore, the incident underscores the need for continuous testing and red-teaming of AI pipelines. Security teams should simulate adversarial scenarios, including malformed archives, subclass exploitation, and file spoofing, to proactively uncover vulnerabilities before attackers can exploit them.

This case also emphasizes that AI supply chain security is not only a technical issue but a governance challenge. Organizations must align development, security, and operations teams, ensuring that ML frameworks, model repositories, and scanning tools operate under shared security protocols. Centralizing patch management and threat intelligence across AI pipelines will reduce the time window for exploitation.

Fact Checker Results:

✅ PickleScan vulnerabilities CVE-2025-10155, CVE-2025-10156, CVE-2025-10157 are confirmed with CVSS 9.3.

✅ JFrog advisory and patch version 0.0.31 verified.

❌ No evidence of active large-scale attacks exploiting these flaws so far.

Prediction:

📊 The discovery of these flaws may trigger an increase in research into AI supply chain security and alternative scanning methods. Enterprises are likely to accelerate adoption of secure formats like Safetensors, while attackers may focus on overlooked deserialization vectors and subclass evasion techniques. Expect broader regulatory scrutiny and mandatory security protocols for model repositories in the near future.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: www.infosecurity-magazine.com
Extra Source Hub (Possible Sources for article):
https://www.digitaltrends.com
Wikipedia
OpenAi & Undercode AI