Picklescan, ZIP Archive Manipulation, CVE-2025-1944 (Medium)

How the CVE Works:

CVE-2025-1944 affects Picklescan versions before 0.0.23, which is a tool used to scan PyTorch model archives for malicious payloads. The vulnerability arises due to improper handling of ZIP archives. An attacker can manipulate the filename in the ZIP header while keeping the original filename in the directory listing. This discrepancy causes Picklescan to raise a `BadZipFile` error and crash during extraction and scanning. However, PyTorch’s ZIP implementation is more lenient and still loads the manipulated archive, allowing malicious payloads to bypass Picklescan’s detection. This flaw enables attackers to deliver harmful models undetected, posing a significant security risk.

DailyCVE Form:

Platform: Picklescan
Version: < 0.0.23
Vulnerability: ZIP Archive Manipulation
Severity: Medium
Date: 03/10/2025

What Undercode Say:

Exploitation:

1. Manipulate ZIP Header: Use tools like `zip` or Python’s `zipfile` module to modify the filename in the ZIP header while keeping the directory listing intact.

   import zipfile
   with zipfile.ZipFile('malicious_model.zip', 'w') as zipf:
   zipf.writestr('model.pt', b'malicious_payload')
   zipf.writestr('fake_header', b'') Manipulated header
   

2. Bypass Detection: The manipulated ZIP file will crash Picklescan but load successfully in PyTorch.

   import torch
   model = torch.load('malicious_model.zip') Bypasses Picklescan
   

Protection:

1. Update Picklescan: Ensure Picklescan is updated to version 0.0.23 or later.

   pip install --upgrade picklescan
   

2. Validate ZIP Integrity: Implement additional checks to verify ZIP file consistency.

   import zipfile
   def validate_zip(file_path):
   with zipfile.ZipFile(file_path, 'r') as zipf:
   if zipf.testzip() is not None:
   raise ValueError("Invalid ZIP file")
   

3. Use Alternative Scanners: Employ additional security tools to scan PyTorch models.

   pip install torchscan
   torchscan --model malicious_model.zip
   

4. Restrict Model Sources: Only load models from trusted sources.

   trusted_sources = [bash]
   if model_path not in trusted_sources:
   raise ValueError("Untrusted model source")
   

5. Monitor for Crashes: Implement logging to detect and respond to Picklescan crashes.

   import logging
   logging.basicConfig(filename='picklescan.log', level=logging.ERROR)
   try:
   picklescan.scan('model.zip')
   except Exception as e:
   logging.error(f"Picklescan crash: {e}")
   

Analytics:

• CVSS Score: 5.3 (Medium)
• Attack Vector: Network
• Impact: Low integrity, low availability
• Exploitability: High

Commands:

• Check Picklescan version:

  picklescan --version
  

• Scan a model:

  picklescan scan model.zip
  

• Validate ZIP file:

  zip -T malicious_model.zip
  

  By following these steps, users can mitigate the risks associated with CVE-2025-1944 and ensure the security of their PyTorch models.

References:

Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-1944
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram