CVE-2025-1945

picklescan before 0.0.23 fails to detect malicious pickle files inside PyTorch model archives when certain ZIP file flag bits are modified. By flipping specific bits in the ZIP file headers, an attacker can embed malicious pickle files that remain undetected by PickleScan while still being successfully loaded by PyTorch's torch.load(). This can lead to arbitrary code execution when loading a compromised model.

Published: Mar 10, 2025
Updated: Aug 11, 2025
CVE: CVE-2025-1945
GHSA: GHSA-w8jq-xcqf-f792
Severity: Medium
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-345

Affected Software
References

Software	From	Fixed in
picklescan	-	0.0.23
mmaitre314 / picklescan	-	0.0.23

https://github.com/mmaitre314/picklescan/commit/e58e45e0d9e091159c1554f9b04828bbb40b9781
https://github.com/mmaitre314/picklescan/security/advisories/GHSA-w8jq-xcqf-f792
https://github.com/pypa/advisory-database/tree/main/vulns/picklescan/PYSEC-2025-21.yaml
https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1945

Vulnerability Database

CVE-2025-1945