Cyber Posture

CVE-2025-1945

CriticalPublic PoC

Published: 10 March 2025

Published
10 March 2025
Modified
29 December 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0067 71.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1945 is a critical-severity Insufficient Verification of Data Authenticity (CWE-345) vulnerability in Mmaitre314 Picklescan. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Embedded Payloads (T1027.009); ranked in the top 28.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Deep Learning Frameworks; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-3 (Malicious Code Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Embedded Payloads (T1027.009) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Requires timely identification, reporting, and correction of security flaws such as the ZIP header flag manipulation bypass in picklescan versions before 0.0.23.

SI-3 Malicious Code Protection good match
preventdetect

Deploys and maintains malicious code protection mechanisms, including updated scanners like picklescan 0.0.23, to detect hidden malicious pickle files in PyTorch model archives.

SI-7 Software, Firmware, and Information Integrity partial match
detect

Monitors for and detects unauthorized changes or integrity violations in PyTorch model files that could hide malicious pickle payloads via ZIP header modifications.

MITRE ATT&CK Enterprise TechniquesAI

T1027.009 Embedded Payloads Stealth
Adversaries may embed payloads within other files to conceal malicious content from defenses.
attack.mitre.org →
T1195.002 Compromise Software Supply Chain Initial Access
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise.
attack.mitre.org →
T1211 Exploitation for Stealth Stealth
Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within trusted or unmonitored components.
attack.mitre.org →
Why these techniques?

CVE-2025-1945 enables embedding malicious pickle payloads in PyTorch ZIP model archives via ZIP flag modifications, evading PickleScan detection (T1211: Exploitation for Defense Evasion; T1027.009: Embedded Payloads) while allowing arbitrary code execution upon loading, facilitating ML supply chain attacks (T1195.002: Compromise Software Supply Chain).

NVD Description

picklescan before 0.0.23 fails to detect malicious pickle files inside PyTorch model archives when certain ZIP file flag bits are modified. By flipping specific bits in the ZIP file headers, an attacker can embed malicious pickle files that remain undetected…

more

by PickleScan while still being successfully loaded by PyTorch's torch.load(). This can lead to arbitrary code execution when loading a compromised model.

Deeper analysisAI

CVE-2025-1945 affects picklescan versions before 0.0.23, a tool designed to scan Python pickle files for malicious content. The vulnerability stems from picklescan's failure to detect malicious pickle files embedded inside PyTorch model archives when attackers flip specific ZIP file flag bits in the headers. These modified archives evade detection by picklescan but are still successfully loaded by PyTorch's torch.load() function, enabling arbitrary code execution upon model loading. The issue is rated critical with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-345.

An attacker can exploit this vulnerability by crafting a compromised PyTorch model archive with hidden malicious pickle data that bypasses picklescan scanning. Exploitation requires no authentication or privileges and can occur remotely over the network with low attack complexity and no user interaction beyond the victim loading the model. Successful attacks grant attackers arbitrary code execution on the victim's system, potentially compromising entire environments that process untrusted PyTorch models.

The picklescan project addresses this in version 0.0.23 via a GitHub commit (e58e45e0d9e091159c1554f9b04828bbb40b9781) that improves ZIP header flag inspection. Practitioners should upgrade to this version or later, as recommended in the project's security advisory (GHSA-w8jq-xcqf-f792) and Sonatype's advisory on CVE-2025-1945.

This vulnerability carries relevance to AI/ML pipelines, given PyTorch's prevalence in model serialization and the risk of supply chain compromise in shared model repositories.

Details

CWE(s)
CWE-345NVD-CWE-noinfo

Affected Products

mmaitre314
picklescan
≤ 0.0.23

AI Security AnalysisAI

AI Category
Deep Learning Frameworks
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
The vulnerability affects picklescan's scanning of PyTorch model archives (.pth files), which are ZIP-based and loaded via PyTorch's torch.load(). PyTorch is a core deep learning framework, and the issue enables supply chain attacks on PyTorch models.

CVEs Like This One

CVE-2025-1889Same product: Mmaitre314 Picklescan
CVE-2025-1716Same product: Mmaitre314 Picklescan
CVE-2025-10156Same product: Mmaitre314 Picklescan
CVE-2025-27680Shared CWE-345
CVE-2026-24775Shared CWE-345
CVE-2025-63910Shared CWE-345
CVE-2026-24772Shared CWE-345
CVE-2024-39805Shared CWE-345
CVE-2026-25474Shared CWE-345
CVE-2026-25921Shared CWE-345

References