Cyber Resilience

CVE-2025-1945

MediumPublic PoC

Published: 10 March 2025

Published
10 March 2025
Modified
29 December 2025
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0087 75.6th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1945 is a medium-severity Insufficient Verification of Data Authenticity (CWE-345) vulnerability in Mmaitre314 Picklescan. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Embedded Payloads (T1027.009); ranked in the top 24.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Deep Learning Frameworks; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-3 (Malicious Code Protection).

Deeper analysis

CVE-2025-1945 affects picklescan versions before 0.0.23, a tool designed to scan Python pickle files for malicious content. The vulnerability stems from picklescan's failure to detect malicious pickle files embedded inside PyTorch model archives when attackers flip specific ZIP file flag bits in the headers. These modified archives evade detection by picklescan but are still successfully loaded by PyTorch's torch.load() function, enabling arbitrary code execution upon model loading. The issue is rated critical with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-345.

An attacker can exploit this vulnerability by crafting a compromised PyTorch model archive with hidden malicious pickle data that bypasses picklescan scanning. Exploitation requires no authentication or privileges and can occur remotely over the network with low attack complexity and no user interaction beyond the victim loading the model. Successful attacks grant attackers arbitrary code execution on the victim's system, potentially compromising entire environments that process untrusted PyTorch models.

The picklescan project addresses this in version 0.0.23 via a GitHub commit (e58e45e0d9e091159c1554f9b04828bbb40b9781) that improves ZIP header flag inspection. Practitioners should upgrade to this version or later, as recommended in the project's security advisory (GHSA-w8jq-xcqf-f792) and Sonatype's advisory on CVE-2025-1945.

This vulnerability carries relevance to AI/ML pipelines, given PyTorch's prevalence in model serialization and the risk of supply chain compromise in shared model repositories.

EU & UK References

Vulnerability details

picklescan before 0.0.23 fails to detect malicious pickle files inside PyTorch model archives when certain ZIP file flag bits are modified. By flipping specific bits in the ZIP file headers, an attacker can embed malicious pickle files that remain undetected…

more

by PickleScan while still being successfully loaded by PyTorch's torch.load(). This can lead to arbitrary code execution when loading a compromised model.

CWE(s)

AI Security AnalysisAI

AI Category
Deep Learning Frameworks
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: pytorch

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1027.009 Embedded Payloads Stealth
Adversaries may embed payloads within other files to conceal malicious content from defenses.
T1195.002 Compromise Software Supply Chain Initial Access
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise.
T1211 Exploitation for Stealth Stealth
Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within trusted or unmonitored components.
Why these techniques?

CVE-2025-1945 enables embedding malicious pickle payloads in PyTorch ZIP model archives via ZIP flag modifications, evading PickleScan detection (T1211: Exploitation for Defense Evasion; T1027.009: Embedded Payloads) while allowing arbitrary code execution upon loading, facilitating ML supply chain attacks (T1195.002: Compromise Software Supply Chain).

CVEs Like This One

CVE-2025-1889Same product: Mmaitre314 Picklescan
CVE-2025-1716Same product: Mmaitre314 Picklescan
CVE-2025-10156Same product: Mmaitre314 Picklescan
CVE-2025-24903Shared CWE-345
CVE-2026-35051Shared CWE-345
CVE-2025-63910Shared CWE-345
CVE-2026-33143Shared CWE-345
CVE-2026-33243Shared CWE-345
CVE-2025-27680Shared CWE-345
CVE-2026-3012Shared CWE-345

Affected Assets

mmaitre314
picklescan
≤ 0.0.23

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of security flaws such as the ZIP header flag manipulation bypass in picklescan versions before 0.0.23.

preventdetect

Deploys and maintains malicious code protection mechanisms, including updated scanners like picklescan 0.0.23, to detect hidden malicious pickle files in PyTorch model archives.

detect

Monitors for and detects unauthorized changes or integrity violations in PyTorch model files that could hide malicious pickle payloads via ZIP header modifications.

References