CVE-2025-1944
Description
picklescan before 0.0.23 is vulnerable to a ZIP archive manipulation attack that causes it to crash when attempting to extract and scan PyTorch model archives. By modifying the filename in the ZIP header while keeping the original filename in the directory listing, an attacker can make PickleScan raise a BadZipFile error. However, PyTorch's more forgiving ZIP implementation still allows the model to be loaded, enabling malicious payloads to bypass detection.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| PyPI | picklescan | <0.0.23 | 0.0.23 |
| PyPI | picklescan | <e58e45e0d9e091159c1554f9b04828bbb40b9781||<0.0.23 | e58e45e0d9e091159c1554f9b04828bbb40b9781 |
References
- https://github.com/mmaitre314/picklescan/security/advisories/GHSA-7q5r-7gvp-wc82
- https://nvd.nist.gov/vuln/detail/CVE-2025-1944
- https://github.com/mmaitre314/picklescan/commit/e58e45e0d9e091159c1554f9b04828bbb40b9781
- https://github.com/mmaitre314/picklescan
- https://github.com/pypa/advisory-database/tree/main/vulns/picklescan/PYSEC-2025-20.yaml
- https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1944
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.