CVE-2025-10156
Published: 17 September 2025
Summary
CVE-2025-10156 is a critical-severity Improper Handling of Exceptional Conditions (CWE-755) vulnerability in Mmaitre314 Picklescan. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Disable or Modify Tools (T1562.001); ranked in the top 23.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the improper exception handling flaw in picklescan's ZIP scanning component via timely patching as specified in the vendor advisory.
Mandates secure error handling for exceptional conditions like bad CRC in ZIP archives to prevent premature scanner halt and ensure full malicious pickle inspection.
Validates ZIP archive inputs for structural integrity including CRC checks prior to scanning, blocking malformed archives that could bypass analysis.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Bypasses picklescan ZIP inspection via CRC exception (impairs detection tool); enables undetected malicious pickle loading for Python code execution.
NVD Description
An Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 picklescan allows a remote attacker to bypass security scans. This is achieved by crafting a ZIP archive containing a file with a bad Cyclic Redundancy…
more
Check (CRC), which causes the scanner to halt and fail to analyze the contents for malicious pickle files. When the file incorrectly considered safe is loaded, it can lead to the execution of malicious code.
Deeper analysisAI
CVE-2025-10156 is an Improper Handling of Exceptional Conditions vulnerability (CWE-755) in the ZIP archive scanning component of the picklescan library maintained by mmaitre314. The flaw enables a remote attacker to bypass security scans by crafting a ZIP archive containing a file with a bad Cyclic Redundancy Check (CRC). This exception causes the scanner to halt prematurely, failing to inspect the archive's contents for malicious pickle files.
A remote attacker requires no privileges or user interaction and can exploit this over the network with low complexity, as indicated by the CVSS 3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By submitting the crafted ZIP, the attacker evades detection, allowing the archive to be deemed safe. Subsequent loading of the malicious pickle file within it can result in arbitrary code execution.
Mitigation details are provided in the GitHub security advisory at https://github.com/mmaitre314/picklescan/security/advisories/GHSA-mjqp-26hc-grxg. The vulnerable code resides in relaxed_zipfile.py at line 35 in version v0.0.29, accessible via https://github.com/mmaitre314/picklescan/blob/v0.0.29/src/picklescan/relaxed_zipfile.py#L35.
This vulnerability has relevance to AI/ML workflows, as pickle files are commonly used in serialized models hosted on platforms like Hugging Face, such as the jina-embeddings-v2-base-en model referenced in pytorch_model.bin and its repository tree.
Details
- CWE(s)