CVE-2025-10155

CVE-2025-10155 is a critical-severity improper input validation vulnerability in picklescan (pip), affecting versions <= 0.0.30. It is fixed in 0.0.31.

Summary

Picklescan can be bypassed, allowing the detection of malicious pickle files to fail, when a standard pickle file is given a PyTorch-related file extension (e.g., .bin). This occurs because the scanner prioritizes PyTorch file extension checks and errors out when parsing a standard pickle file with such an extension instead of falling back to standard pickle analysis. This vulnerability allows attackers to disguise malicious pickle payloads within files that would otherwise be scanned for pickle-based threats.

Details

The vulnerability stems from the logic in the scan_bytes function within picklescan/scanner.py, specifically around line 463: https://github.com/mmaitre314/picklescan/blob/75e60f2c02f3f1a029362e6f334e1921392dcf60/src/picklescan/scanner.py#L463
The code first checks if the file extension (file_ext) is in the pytorch_file_extension list. If it is (e.g., .bin), the scan_pytorch function is called. When a standard pickle file is encountered with a PyTorch extension, scan_pytorch will likely fail. Critically, the code then returns an Error without attempting to analyze the file as a standard pickle using scan_pickle_bytes. This prevents the detection of malicious payloads within such files.

PoC

  • Download a malicious pickle file with a standard .pkl extension:
    wget https://huggingface.co/kzanki/regular_model/resolve/main/model.pkl?download=true -O model.pkl

  • Scan the file with Picklescan (correct detection):
    /home/davfr/Tests/HF/dangerous_model/model.pkl: dangerous import 'builtins exec' FOUND
    ----------- SCAN SUMMARY -----------
    Scanned files: 1
    Infected files: 1
    Dangerous globals: 1

  • Rename the file to use a PyTorch-related extension (e.g., .bin):
    cp model.pkl model.bin

  • Scan the renamed file with Picklescan:

Observed Result: Picklescan fails and reports an error related to PyTorch parsing but does not detect the malicious pickle content.
Expected Result: Picklescan should recognize the file as a standard pickle format despite the .bin extension and scan it accordingly, identifying the malicious content.

Suggested Patch

--- a/src/picklescan/scanner.py
+++ b/src/picklescan/scanner.py
@@ -462,19 +462,28 @@ def scan_bytes(data: IO[bytes], file_id, file_ext: Optional[str] = None) -> Scan
     if file_ext is not None and file_ext in pytorch_file_extensions:
         try:
             return scan_pytorch(data, file_id)
         except InvalidMagicError as e:
-            _log.error(f"ERROR: Invalid magic number for file {e}")
-            return ScanResult([], scan_err=True)
+            _log.warning(f"PyTorch scan failed for {file_id} with extension {file_ext}: {e}")
+            # Don't return error here - continue to other scan methods
     elif file_ext is not None and file_ext in numpy_file_extensions:
-        return scan_numpy(data, file_id)
-    else:
-        is_zip = zipfile.is_zipfile(data)
-        data.seek(0)
-        if is_zip:
-            return scan_zip_bytes(data, file_id)
-        elif is_7z_file(data):
-            return scan_7z_bytes(data, file_id)
-        else:
-            return scan_pickle_bytes(data, file_id)
+        try:
+            return scan_numpy(data, file_id)
+        except Exception as e:
+            _log.warning(f"NumPy scan failed for {file_id}: {e}")
+    
+    # Always attempt additional format checks as fallback
+    data.seek(0)  # Reset stream position
+    is_zip = zipfile.is_zipfile(data)
+    data.seek(0)
+    if is_zip:
+        return scan_zip_bytes(data, file_id)
+    elif is_7z_file(data):
+        return scan_7z_bytes(data, file_id)
+    else:
+        # FIX: Always attempt pickle scanning as fallback
+        # This prevents the vulnerability where pickle files with wrong extensions bypass detection
+        return scan_pickle_bytes(data, file_id)

Impact

Severity: High
Affected Users: Any organization or individual relying on Picklescan to ensure the safety of PyTorch models or other files that might contain embedded pickle objects. This includes users downloading pre-trained models or receiving files that could potentially contain malicious code.
Impact Details: Attackers can craft malicious pickle payloads and disguise them within files using common PyTorch extensions (like .bin, .pt, etc.). These files would then bypass PickleScan's detection mechanism, allowing the malicious code to execute when the file is loaded by a vulnerable application or user.
Potential Exploits: This vulnerability significantly weakens the security provided by PickleScan. It opens the door to various supply chain attacks, where malicious actors could distribute backdoored models through platforms like Hugging Face, PyTorch Hub, or even through direct file sharing. Users trusting PickleScan would be unknowingly exposed to these threats.
Recommendations
The most effective solution is to modify the scanning logic to ensure that standard pickle scanning is attempted as a fallback mechanism when PyTorch scanning fails or is not applicable. A suggested approach is:
Attempt PyTorch Scan: If the file extension matches a known PyTorch extension, attempt to scan it as a PyTorch object.
Fallback to Pickle Scan: Regardless of the success or failure of the PyTorch scan (or if the extension is not a PyTorch extension), always attempt to scan the file as a standard pickle. This ensures that files with misleading extensions are still analyzed for potential pickle-based vulnerabilities.

The application does not adequately validate input before processing it, allowing unexpected values to reach sensitive code paths. Typical impact: varies by context: data corruption, logic bypass, or denial of service.

CVE-2025-10155 has a CVSS score of 7.8 (Critical). The vector is requires local access, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.0.31); upgrading removes the vulnerable code path.

Affected versions

picklescan (<= 0.0.30)

Security releases

picklescan → 0.0.31 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade picklescan to 0.0.31 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2025-10155? CVE-2025-10155 is a critical-severity improper input validation vulnerability in picklescan (pip), affecting versions <= 0.0.30. It is fixed in 0.0.31. The application does not adequately validate input before processing it, allowing unexpected values to reach sensitive code paths.
  2. How severe is CVE-2025-10155? CVE-2025-10155 has a CVSS score of 7.8 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of picklescan are affected by CVE-2025-10155? picklescan (pip) versions <= 0.0.30 is affected.
  4. Is there a fix for CVE-2025-10155? Yes. CVE-2025-10155 is fixed in 0.0.31. Upgrade to this version or later.
  5. Is CVE-2025-10155 exploitable, and should I be worried? Whether CVE-2025-10155 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2025-10155 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2025-10155? Upgrade picklescan to 0.0.31 or later.

Other vulnerabilities in picklescan

CVE-2026-3490CVE-2026-53875CVE-2026-53874CVE-2026-53872CVE-2025-71339

Stop the waste.
Protect your environment with Kodem.