CVE-2025-1889

CriticalPublic PoC

Published: 03 March 2025

Published

03 March 2025

Modified

29 December 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0005 14.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1889 is a critical-severity Reliance on File Name or Extension of Externally-Supplied File (CWE-646) vulnerability in Mmaitre314 Picklescan. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Masquerade File Type (T1036.008); ranked at the 14.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Other Platforms; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Masquerade File Type (T1036.008) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires identification, prioritization, and remediation of flaws like CVE-2025-1889 in picklescan to eliminate false negatives from non-standard pickle file extensions.

RA-5 Vulnerability Monitoring and Scanning good match

prevent

Mandates employment of updatable vulnerability scanning tools that address limitations such as CVE-2025-1889's scope restriction to standard extensions, ensuring comprehensive detection of unsafe pickles.

SI-5 Security Alerts, Advisories, and Directives partial match

prevent

Ensures receipt and dissemination of security advisories like GHSA-655q-fx9r-782v for CVE-2025-1889, enabling timely awareness and patching of the scanning tool vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1036.008 Masquerade File Type Stealth

Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the file’s signature, extension, icon, and contents.

attack.mitre.org →

T1027.009 Embedded Payloads Stealth

Adversaries may embed payloads within other files to conceal malicious content from defenses.

attack.mitre.org →

T1211 Exploitation for Stealth Stealth

Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within trusted or unmonitored components.

attack.mitre.org →

Why these techniques?

Vulnerability allows bypassing picklescan detection of malicious pickle deserialization payloads via non-standard file extensions or undetected unsafe globals (e.g., pip.main), enabling file type masquerading, embedding payloads in archives like PyTorch models, and exploitation of security scanning tools for defense evasion leading to RCE.

NVD Description

picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. An attacker could craft a malicious model that uses Pickle and include a malicious pickle file with a non-standard file extension. Because the malicious…

pickle file inclusion is not considered as part of the scope of picklescan, the file would pass security checks and appear to be safe, when it could instead prove to be problematic.

Deeper analysisAI

CVE-2025-1889 is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) affecting picklescan versions prior to 0.0.22. Picklescan is a vulnerability scanning tool that detects unsafe pickle usage in Python files, but it only considers files with standard pickle extensions (such as .pkl or .pickle) within its scan scope. This limitation allows malicious pickle files with non-standard extensions to evade detection, leading to false negatives where unsafe files appear secure. The issue is linked to CWE-646 (Reliance on File Name or Extension) and NVD-CWE-noinfo.

An attacker can exploit this vulnerability by crafting a malicious Python model or package that incorporates a dangerous pickle file renamed with a non-standard extension. A security practitioner or developer using the vulnerable picklescan to scan a repository or artifact containing this malicious file would receive a clean bill of health, potentially leading to the file being trusted and loaded. Upon deserialization, the pickle file could execute arbitrary code, resulting in high confidentiality, integrity, and availability impacts remotely with no authentication or user interaction required.

The GitHub security advisory (GHSA-655q-fx9r-782v) and Sonatype advisory detail mitigation steps, primarily recommending an upgrade to picklescan 0.0.22 or later, which expands the scan scope to include non-standard pickle extensions and prevents such bypasses. Practitioners should rescan existing models or dependencies after patching to identify previously missed threats.

Details

CWE(s): CWE-646 NVD-CWE-noinfo

Affected Products

mmaitre314

picklescan

≤ 0.0.22

AI Security AnalysisAI

AI Category: Other Platforms
Risk Domain: Supply Chain and Deployment
OWASP Top 10 for LLMs 2025: None mapped
Classification Reason: Picklescan is a security scanning tool specifically designed to detect vulnerabilities in Python pickle files, which are commonly used for serializing machine learning models (e.g., in PyTorch via torch.load()). The vulnerability enables bypassing scans for malicious pickles embedded in ML models with non-standard extensions, directly impacting AI/ML model security.

CVEs Like This One

CVE-2025-1945Same product: Mmaitre314 Picklescan

CVE-2025-1716Same product: Mmaitre314 Picklescan

CVE-2025-10156Same product: Mmaitre314 Picklescan

References

https://github.com/mmaitre314/picklescan/security/advisories/GHSA-655q-fx9r-782v
Exploit, Third Party Advisory · 103e4ec9-0a87-450b-af77-479448ddef11
https://www.sonatype.com/security-advisories/cve-2025-1889
103e4ec9-0a87-450b-af77-479448ddef11