PyTorch Model Files Can Bypass Pickle Scanners via Unexpected Pickle Extensions

CVE-2025-1889 Summary Picklescan fails to detect hidden pickle files embedded in PyTorch model archives due to its reliance on file extensions for detection. This allows an attacker to embed a secondary, malicious pickle file with a non-standard extension inside a model archive, which remains...

Reliance on File Name or Extension of Externally-Supplied File

Overview picklescan is a Security scanner detecting Python Pickle files performing suspicious actions Affected versions of this package are vulnerable to Reliance on File Name or Extension of Externally-Supplied File due to insufficient scanning of non-standard pickle file extensions. Remediation...

PYSEC-2025-19

picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. An attacker could craft a malicious model that uses Pickle and include a malicious pickle file with a non-standard file extension. Because the malicious pickle file inclusion is not...

CVE-2025-1889

CVE-2025-1889 involves the Python tool picklescan, where versions before 0.0.22 only consider standard pickle file extensions for scans. An attacker can embed a malicious pickle with a non‑standard extension inside a model or archive, bypassing detection and potentially enabling remote code execu...

CVE-2025-1889 picklescan - Security scanning bypass via non-standard file extensions

picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. An attacker could craft a malicious model that uses Pickle and include a malicious pickle file with a non-standard file extension. Because the malicious pickle file inclusion is not...