→

CVE-2025-1945: picklescan - Zip Flag Bit Exploit Crashes Picklescan But Not PyTorch

picklescan before 0.0.23 fails to detect malicious pickle files inside PyTorch model archives when certain ZIP file flag bits are modified. By flipping specific bits in the ZIP file headers, an attacker can embed malicious pickle files that remain undetected by PickleScan while still being successfully loaded by PyTorch's torch.load(). This can lead to arbitrary code execution when loading a compromised model.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-1945

CVE-2025-1945:

5.3

CVSS Score

4.0

-

CVSS Score

-

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
picklescan	pip	< 0.0.23	0.0.23

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from PickleScan's reliance on Python's zipfile module which strictly validated ZIP flag bits. The key vulnerable function was scan_zip_bytes in scanner.py that used zipfile.ZipFile directly. When flag bits like 0x1/0x20/0x40 were set, zipfile.ZipFile.open() would raise exceptions during header parsing, preventing PickleScan from examining the malicious pickle files. The patch replaced zipfile.ZipFile with a custom RelaxedZipFile implementation in scanner.py to tolerate these flags, confirming this was the primary vulnerability vector. The secondary mention of zipfile.ZipFile.open reflects the root cause in the dependency's behavior.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-1945: picklescan - Zip Flag Bit Exploit Crashes Picklescan But Not PyTorch

CVE-2025-1945:

5.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Detect and Respond To Threats Faster.

Technical Details

Basic Information

Basic Information

CVE-2025-1945: picklescan - Zip Flag Bit Exploit Crashes Picklescan But Not PyTorch

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

5.3

5.3

5.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-1945: picklescan - Zip Flag Bit Exploit Crashes Picklescan But Not PyTorch

CVE-2025-1945:

5.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Basic Information

Basic Information

CVE-2025-1945: picklescan - Zip Flag Bit Exploit Crashes Picklescan But Not PyTorch

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

5.3

5.3

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI