Cyber Resilience

CVE-2025-10156

CriticalPublic PoC

Published: 17 September 2025

Published
17 September 2025
Modified
02 October 2025
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0143 69.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-10156 is a critical-severity Improper Handling of Exceptional Conditions (CWE-755) vulnerability in Mmaitre314 Picklescan. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Disable or Modify Tools (T1685); ranked in the top 30.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-10156 is an Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of the mmaitre314 picklescan tool. The flaw resides in relaxed_zipfile.py and allows a specially crafted ZIP containing a file with an invalid Cyclic Redundancy Check to cause the scanner to halt without examining the archive contents for malicious pickle payloads.

A remote attacker can supply the malformed archive to any application or workflow that relies on picklescan for safety checks. When the file is subsequently deserialized, arbitrary Python code contained in the undetected pickle can execute with the privileges of the loading process.

The associated GitHub Security Advisory GHSA-mjqp-26hc-grxg and the linked source file provide the primary references for understanding the issue and any subsequent fixes.

The vulnerability is relevant to AI/ML environments because picklescan is commonly used to inspect serialized model files distributed through repositories such as Hugging Face; the EPSS score has remained flat at 0.0128 with no material increase since disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 picklescan allows a remote attacker to bypass security scans. This is achieved by crafting a ZIP archive containing a file with a bad Cyclic Redundancy…

more

Check (CRC), which causes the scanner to halt and fail to analyze the contents for malicious pickle files. When the file incorrectly considered safe is loaded, it can lead to the execution of malicious code.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1685 Disable or Modify Tools Defense Impairment
Adversaries may disable, degrade, or tamper with security tools or applications (e.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
Why these techniques?

Bypasses picklescan ZIP inspection via CRC exception (impairs detection tool); enables undetected malicious pickle loading for Python code execution.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-1716Same product: Mmaitre314 Picklescan
CVE-2025-1889Same product: Mmaitre314 Picklescan
CVE-2025-1945Same product: Mmaitre314 Picklescan
CVE-2026-44902Shared CWE-755
CVE-2026-28542Shared CWE-755
CVE-2026-23666Shared CWE-755
CVE-2026-8162Shared CWE-755
CVE-2026-27586Shared CWE-755
CVE-2026-27195Shared CWE-755
CVE-2026-21906Shared CWE-755

Affected Assets

mmaitre314
picklescan
≤ 0.0.31

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the improper exception handling flaw in picklescan's ZIP scanning component via timely patching as specified in the vendor advisory.

prevent

Mandates secure error handling for exceptional conditions like bad CRC in ZIP archives to prevent premature scanner halt and ensure full malicious pickle inspection.

prevent

Validates ZIP archive inputs for structural integrity including CRC checks prior to scanning, blocking malformed archives that could bypass analysis.

References