Moderate severityNVD Advisory· Published Mar 10, 2025· Updated Dec 29, 2025
picklescan ZIP archive manipulation attack leads to crash
CVE-2025-1944
Description
picklescan before 0.0.23 is vulnerable to a ZIP archive manipulation attack that causes it to crash when attempting to extract and scan PyTorch model archives. By modifying the filename in the ZIP header while keeping the original filename in the directory listing, an attacker can make PickleScan raise a BadZipFile error. However, PyTorch's more forgiving ZIP implementation still allows the model to be loaded, enabling malicious payloads to bypass detection.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
picklescanPyPI | < 0.0.23 | 0.0.23 |
Affected products
2- Range: 0.0.1
Patches
Vulnerability mechanics
References
7- github.com/mmaitre314/picklescan/commit/e58e45e0d9e091159c1554f9b04828bbb40b9781ghsapatchWEB
- github.com/advisories/GHSA-7q5r-7gvp-wc82ghsaADVISORY
- github.com/mmaitre314/picklescan/security/advisories/GHSA-7q5r-7gvp-wc82ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-1944ghsaADVISORY
- www.sonatype.com/security-advisories/cve-2025-1944mitrethird-party-advisory
- github.com/pypa/advisory-database/tree/main/vulns/picklescan/PYSEC-2025-20.yamlghsaWEB
- sites.google.com/sonatype.com/vulnerabilities/cve-2025-1944ghsaWEB
News mentions
0No linked articles in our index yet.