PYSEC-2025-152
Vulnerability from pysec - Published: 2025-09-17 11:15 - Updated: 2026-05-20 09:19
VLAI
Details
An Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 picklescan allows a remote attacker to bypass security scans. This is achieved by crafting a ZIP archive containing a file with a bad Cyclic Redundancy Check (CRC), which causes the scanner to halt and fail to analyze the contents for malicious pickle files. When the file incorrectly considered safe is loaded, it can lead to the execution of malicious code.
Severity
9.8 (Critical)
Impacted products
| Name | purl | picklescan | pkg:pypi/picklescan |
|---|
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "picklescan",
"purl": "pkg:pypi/picklescan"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.31"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.0.1",
"0.0.10",
"0.0.11",
"0.0.12",
"0.0.13",
"0.0.14",
"0.0.15",
"0.0.16",
"0.0.17",
"0.0.18",
"0.0.19",
"0.0.2",
"0.0.20",
"0.0.21",
"0.0.22",
"0.0.23",
"0.0.24",
"0.0.25",
"0.0.26",
"0.0.27",
"0.0.28",
"0.0.29",
"0.0.3",
"0.0.30",
"0.0.4",
"0.0.5",
"0.0.6",
"0.0.7",
"0.0.8",
"0.0.9"
]
}
],
"aliases": [
"CVE-2025-10156",
"GHSA-mjqp-26hc-grxg"
],
"details": "An Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 picklescan allows a remote attacker to bypass security scans. This is achieved by crafting a ZIP archive containing a file with a bad Cyclic Redundancy Check (CRC), which causes the scanner to halt and fail to analyze the contents for malicious pickle files.\u00a0When the file incorrectly considered safe is loaded, it can lead to the execution of malicious code.",
"id": "PYSEC-2025-152",
"modified": "2026-05-20T09:19:10.835546Z",
"published": "2025-09-17T11:15:32.020Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mmaitre314/picklescan/blob/v0.0.29/src/picklescan/relaxed_zipfile.py#L35"
},
{
"type": "WEB",
"url": "https://huggingface.co/jinaai/jina-embeddings-v2-base-en/resolve/main/pytorch_model.bin?download=true"
},
{
"type": "WEB",
"url": "https://huggingface.co/jinaai/jina-embeddings-v2-base-en/tree/main"
},
{
"type": "EVIDENCE",
"url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-mjqp-26hc-grxg"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
CVE-2025-10156 (GCVE-0-2025-10156)
Vulnerability from cvelistv5 – Published: 2025-09-17 10:41 – Updated: 2025-09-17 13:04
VLAI
Title
PickleScan Security Bypass via Bad CRC in ZIP Archive
Summary
An Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 picklescan allows a remote attacker to bypass security scans. This is achieved by crafting a ZIP archive containing a file with a bad Cyclic Redundancy Check (CRC), which causes the scanner to halt and fail to analyze the contents for malicious pickle files. When the file incorrectly considered safe is loaded, it can lead to the execution of malicious code.
Severity
CWE
- CWE-755 - Improper Handling of Exceptional Conditions
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://huggingface.co/jinaai/jina-embeddings-v2-… | exploit |
| https://huggingface.co/jinaai/jina-embeddings-v2-… | exploit |
| https://github.com/mmaitre314/picklescan/blob/v0.… | related |
| https://github.com/mmaitre314/picklescan/security… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mmaitre314 | picklescan |
Affected:
0 , ≤ 0.0.30
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10156",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-17T13:04:29.318926Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T13:04:36.225Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "picklescan",
"vendor": "mmaitre314",
"versions": [
{
"changes": [
{
"at": "0.0.31",
"status": "unaffected"
}
],
"lessThanOrEqual": "0.0.30",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "JFrog"
},
{
"lang": "en",
"type": "finder",
"value": "@xdcrev"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 picklescan allows a remote attacker to bypass security scans. This is achieved by crafting a ZIP archive containing a file with a bad Cyclic Redundancy Check (CRC), which causes the scanner to halt and fail to analyze the contents for malicious pickle files.\u0026nbsp;When the file incorrectly considered safe is loaded, it can lead to the execution of malicious code.\n\n\u003c/p\u003e"
}
],
"value": "An Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 picklescan allows a remote attacker to bypass security scans. This is achieved by crafting a ZIP archive containing a file with a bad Cyclic Redundancy Check (CRC), which causes the scanner to halt and fail to analyze the contents for malicious pickle files.\u00a0When the file incorrectly considered safe is loaded, it can lead to the execution of malicious code."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "An attacker can craft a malicious pickle payload, package it into a ZIP archive, and intentionally introduce a CRC error. This causes PickleScan to fail while a target application like PyTorch may still load the model, creating a blind spot that could lead to arbitrary code execution."
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-755",
"description": "CWE-755: Improper Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T10:41:51.737Z",
"orgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d",
"shortName": "JFROG"
},
"references": [
{
"name": "Proof of Concept (Archive with Bad CRC)",
"tags": [
"exploit"
],
"url": "https://huggingface.co/jinaai/jina-embeddings-v2-base-en/resolve/main/pytorch_model.bin?download=true"
},
{
"name": "Example of Failing Scan on Hugging Face",
"tags": [
"exploit"
],
"url": "https://huggingface.co/jinaai/jina-embeddings-v2-base-en/tree/main"
},
{
"name": "Vulnerable Code Snippet",
"tags": [
"related"
],
"url": "https://github.com/mmaitre314/picklescan/blob/v0.0.29/src/picklescan/relaxed_zipfile.py#L35"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-mjqp-26hc-grxg"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "PickleScan Security Bypass via Bad CRC in ZIP Archive",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d",
"assignerShortName": "JFROG",
"cveId": "CVE-2025-10156",
"datePublished": "2025-09-17T10:41:51.737Z",
"dateReserved": "2025-09-09T11:07:36.610Z",
"dateUpdated": "2025-09-17T13:04:36.225Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-MJQP-26HC-GRXG
Vulnerability from github – Published: 2025-09-10 19:50 – Updated: 2025-09-18 12:51
VLAI
Summary
Picklescan: ZIP archive scan bypass is possible through non-exhaustive Cyclic Redundancy Check
Details
Summary
Picklescan's ability to scan ZIP archives for malicious pickle files is compromised when the archive contains a file with a bad Cyclic Redundancy Check (CRC). Instead of attempting to scan the files within the archive, whatever the CRC is, Picklescan fails in error and returns no results. This allows attackers to potentially hide malicious pickle payloads within ZIP archives that PyTorch might still be able to load (as PyTorch often disables CRC checks).
Details
Picklescan likely utilizes Python's built-in zipfile module to handle ZIP archives. When zipfile encounters a file within an archive that has a mismatch between the declared CRC and the calculated CRC, it can raise an exception (e.g., BadZipFile or a related error). It appears that Picklescan does not try to scan the files whatever the CRC is. This behavior contrasts with PyTorch's model loading capabilities, which in many cases might bypass CRC checks for ZIP archives - whatever the configuration is. This discrepancy creates a blind spot where a malicious model packaged in a ZIP with a bad CRC could be loaded by PyTorch while being completely missed by Picklescan.
PoC
- Download an existing Pytorch model with a bad CRC
wget <https://huggingface.co/jinaai/jina-embeddings-v2-base-en/resolve/main/pytorch_model.bin?download=true> -O pytorch_model.bin
- Attempt to scan the corrupted ZIP file with PickleScan:
# Assuming you have Picklescan installed and in your PATH
picklescan -p pytorch_model.bin
Observed Result: Picklescan returns no results and presents an error message indicating a problem with the ZIP file, but it doesn’t attempt to scan any potentially valid pickle files within the archive.
Expected Result: Picklescan should either:
- Attempt to extract and scan other valid files within the ZIP archive, even if some have CRC errors.
- Report a warning indicating that the ZIP archive has CRC errors and might be incomplete or corrupted, but still attempt to scan any accessible content.
Impact
Severity: High
Affected Users: Any organization or individual using Picklescan to analyze PyTorch models or other files distributed as ZIP archives for malicious pickle content.
Impact Details: Attackers can craft malicious PyTorch models containing embedded pickle payloads, package them into ZIP archives, and intentionally introduce CRC errors. This would cause Picklescan to fail to analyze the archive, while PyTorch is still able to load the model (depending on its configuration regarding CRC checks). This creates a significant vulnerability where malicious code can be distributed and potentially executed without detection by Picklescan.
Ex: Picklescan on HuggingFace goes into error (https://huggingface.co/jinaai/jina-embeddings-v2-base-en/tree/main)
Recommendations: Picklescan should not fail on Bad CRC check, especially if Pytorch is not checking CRC. Relaxed Zipfile is perfect to fix this issue:
--- picklescan/src/picklescan/relaxed_zipfile.py
+++ picklescan/src/picklescan/relaxed_zipfile.py
@@ class RelaxedZipFile(zipfile.ZipFile):
try:
# Skip the file header:
fheader = zef_file.read(sizeFileHeader)
if len(fheader) != sizeFileHeader:
raise zipfile.BadZipFile("Truncated file header")
fheader = struct.unpack(structFileHeader, fheader)
if fheader[_FH_SIGNATURE] != stringFileHeader:
raise zipfile.BadZipFile("Bad magic number for file header")
zef_file.read(fheader[_FH_FILENAME_LENGTH])
if fheader[_FH_EXTRA_FIELD_LENGTH]:
zef_file.read(fheader[_FH_EXTRA_FIELD_LENGTH])
- return zipfile.ZipExtFile(zef_file, mode, zinfo, pwd, True)
+
+ # Create the ZipExtFile and disable CRC check
+ ext_file = zipfile.ZipExtFile(zef_file, mode, zinfo, pwd)
+ # Monkey-patch to skip CRC validation
+ ext_file._expected_crc = None
+ return ext_file
except BaseException:
zef_file.close()
raise
Severity
7.5 (High)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.0.30"
},
"package": {
"ecosystem": "PyPI",
"name": "picklescan"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.31"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-10156"
],
"database_specific": {
"cwe_ids": [
"CWE-693",
"CWE-755"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-10T19:50:46Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Summary\nPicklescan\u0027s ability to scan ZIP archives for malicious pickle files is compromised when the archive contains a file with a bad Cyclic Redundancy Check (CRC). Instead of attempting to scan the files within the archive, whatever the CRC is, Picklescan fails in error and returns no results. This allows attackers to potentially hide malicious pickle payloads within ZIP archives that PyTorch might still be able to load (as PyTorch often disables CRC checks).\n\n\n### Details\nPicklescan likely utilizes Python\u0027s built-in zipfile module to handle ZIP archives. When zipfile encounters a file within an archive that has a mismatch between the declared CRC and the calculated CRC, it can raise an exception (e.g., BadZipFile or a related error). It appears that Picklescan does not try to scan the files whatever the CRC is.\nThis behavior contrasts with PyTorch\u0027s model loading capabilities, which in many cases might bypass CRC checks for ZIP archives - whatever the configuration is. This discrepancy creates a blind spot where a malicious model packaged in a ZIP with a bad CRC could be loaded by PyTorch while being completely missed by Picklescan.\n\n### PoC\n\n1. Download an existing Pytorch model with a bad CRC\n\n`wget \u003chttps://huggingface.co/jinaai/jina-embeddings-v2-base-en/resolve/main/pytorch_model.bin?download=true\u003e -O pytorch_model.bin`\n\n2. Attempt to scan the corrupted ZIP file with PickleScan:\n\n```\n# Assuming you have Picklescan installed and in your PATH\npicklescan -p pytorch_model.bin\n```\n\n\n**Observed Result**: Picklescan returns no results and presents an error message indicating a problem with the ZIP file, but it doesn\u2019t attempt to scan any potentially valid pickle files within the archive.\n\n**Expected Result:** Picklescan should either:\n\n- Attempt to extract and scan other valid files within the ZIP archive, even if some have CRC errors.\n- Report a warning indicating that the ZIP archive has CRC errors and might be incomplete or corrupted, but still attempt to scan any accessible content.\n\n### Impact\n**Severity**: High \n**Affected Users**: Any organization or individual using Picklescan to analyze PyTorch models or other files distributed as ZIP archives for malicious pickle content.\n**Impact Details**: Attackers can craft malicious PyTorch models containing embedded pickle payloads, package them into ZIP archives, and intentionally introduce CRC errors. This would cause Picklescan to fail to analyze the archive, while PyTorch is still able to load the model (depending on its configuration regarding CRC checks). This creates a significant vulnerability where malicious code can be distributed and potentially executed without detection by Picklescan.\n**Ex: Picklescan on HuggingFace goes into error** (https://huggingface.co/jinaai/jina-embeddings-v2-base-en/tree/main)\n\n\n**Recommendations:**\nPicklescan should not fail on Bad CRC check, especially if Pytorch is not checking CRC.\nRelaxed Zipfile is perfect to fix this issue:\n```\n--- picklescan/src/picklescan/relaxed_zipfile.py\n+++ picklescan/src/picklescan/relaxed_zipfile.py\n@@ class RelaxedZipFile(zipfile.ZipFile):\n try:\n # Skip the file header:\n fheader = zef_file.read(sizeFileHeader)\n if len(fheader) != sizeFileHeader:\n raise zipfile.BadZipFile(\"Truncated file header\")\n\n fheader = struct.unpack(structFileHeader, fheader)\n if fheader[_FH_SIGNATURE] != stringFileHeader:\n raise zipfile.BadZipFile(\"Bad magic number for file header\")\n\n zef_file.read(fheader[_FH_FILENAME_LENGTH])\n if fheader[_FH_EXTRA_FIELD_LENGTH]:\n zef_file.read(fheader[_FH_EXTRA_FIELD_LENGTH])\n\n- return zipfile.ZipExtFile(zef_file, mode, zinfo, pwd, True)\n+\n+ # Create the ZipExtFile and disable CRC check\n+ ext_file = zipfile.ZipExtFile(zef_file, mode, zinfo, pwd)\n+ # Monkey-patch to skip CRC validation\n+ ext_file._expected_crc = None\n+ return ext_file\n\n except BaseException:\n zef_file.close()\n raise\n```",
"id": "GHSA-mjqp-26hc-grxg",
"modified": "2025-09-18T12:51:19Z",
"published": "2025-09-10T19:50:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-mjqp-26hc-grxg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10156"
},
{
"type": "WEB",
"url": "https://github.com/mmaitre314/picklescan/commit/28a7b4ef753466572bda3313737116eeb9b4e5c5"
},
{
"type": "PACKAGE",
"url": "https://github.com/mmaitre314/picklescan"
},
{
"type": "WEB",
"url": "https://github.com/mmaitre314/picklescan/blob/v0.0.29/src/picklescan/relaxed_zipfile.py#L35"
},
{
"type": "WEB",
"url": "https://huggingface.co/jinaai/jina-embeddings-v2-base-en/resolve/main/pytorch_model.bin?download=true"
},
{
"type": "WEB",
"url": "https://huggingface.co/jinaai/jina-embeddings-v2-base-en/tree/main"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Picklescan: ZIP archive scan bypass is possible through non-exhaustive Cyclic Redundancy Check"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…