CVE-2025-1945

The CVE-2025-1945 issue affects PickleScan before 0.0.23, which fails to detect malicious pickle payloads embedded inside PyTorch model archives when specific ZIP header flag bits are modified. By flipping ZIP flag bits (e.g., 0x1, 0x20, 0x40) in the archive, an attacker can place a malicious pic...

CVE-2025-1944 picklescan ZIP archive manipulation attack leads to crash

picklescan before 0.0.23 is vulnerable to a ZIP archive manipulation attack that causes it to crash when attempting to extract and scan PyTorch model archives. By modifying the filename in the ZIP header while keeping the original filename in the directory listing, an attacker can make PickleScan...

CVE-2025-1944

Summary (concrete details): CVE-2025-1944 affects picklescan

CVE-2025-1944 picklescan ZIP archive manipulation attack leads to crash

picklescan before 0.0.23 is vulnerable to a ZIP archive manipulation attack that causes it to crash when attempting to extract and scan PyTorch model archives. By modifying the filename in the ZIP header while keeping the original filename in the directory listing, an attacker can make PickleScan...

GHSA-769V-P64C-89PR PyTorch Model Files Can Bypass Pickle Scanners via Unexpected Pickle Extensions

CVE-2025-1889 Summary Picklescan fails to detect hidden pickle files embedded in PyTorch model archives due to its reliance on file extensions for detection. This allows an attacker to embed a secondary, malicious pickle file with a non-standard extension inside a model archive, which remains...

PyTorch Model Files Can Bypass Pickle Scanners via Unexpected Pickle Extensions

CVE-2025-1889 Summary Picklescan fails to detect hidden pickle files embedded in PyTorch model archives due to its reliance on file extensions for detection. This allows an attacker to embed a secondary, malicious pickle file with a non-standard extension inside a model archive, which remains...

Arbitrary Code Execution

Overview sentence-transformers is a State-of-the-Art Text Embeddings Affected versions of this package are vulnerable to Arbitrary Code Execution when loading PyTorch model files. The torch.load function, used without the weightsonly=True parameter, could deserialize malicious Python objects from...

GHSA-WF7F-8FXF-XFXC MLFlow unsafe deserialization

Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.5.0 or newer, enabling a maliciously uploaded PyTorch model to run arbitrary code on an end user’s system when interacted with...

CVE-2024-37059

Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.5.0 or newer, enabling a maliciously uploaded PyTorch model to run arbitrary code on an end user’s system when interacted with...

CVE-2024-37059

Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.5.0 or newer, enabling a maliciously uploaded PyTorch model to run arbitrary code on an end user’s system when interacted with...

CVE-2024-37059

Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.5.0 or newer, enabling a maliciously uploaded PyTorch model to run arbitrary code on an end user’s system when interacted with...

CVE-2024-37059

Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.5.0 or newer, enabling a maliciously uploaded PyTorch model to run arbitrary code on an end user’s system when interacted with...

New Hugging Face Vulnerability Exposes AI Models to Supply Chain Attacks

Cybersecurity researchers have found that it's possible to compromise the Hugging Face Safetensors conversion service to ultimately hijack the models submitted by users and result in supply chain attacks. "It's possible to send malicious pull requests with attacker-controlled data from the Huggin...

Server Side Request Forgery (SSRF)

torchserve is vulnerable to Server Side Request Forgery SSRF. The vulnerability is caused by a missing input validation check in the default configuration for the property value of allowedurls, which is used to restrict URLs used to load the PyTorch model in the application. This can lead to an...