Sonatype researchers uncover vital vulnerabilities in picklescan. Learn the way these flaws impression AI mannequin safety, Hugging Face, and finest practices for builders.
Cybersecurity researchers at Sonatype have recognized a number of vulnerabilities inside picklescan, a device used for analyzing Python pickle recordsdata for malicious code. These recordsdata, generally used for storing and retrieving machine learning models, pose a safety threat attributable to their capability to execute arbitrary code through the strategy of retrieving the saved knowledge.
In line with Sonatype’s evaluation, shared with Hackread.com, in whole 4 vulnerabilities have been discovered:
- CVE-2025-1716– permits attackers to bypass the device’s checks and execute dangerous code;
- CVE-2025-1889– failure to detect hidden malicious recordsdata attributable to its reliance on file extensions;
- CVE-2025-1944– might be exploited by manipulating ZIP archive filenames to trigger the device to malfunction;
- CVE-2025-1945– failure to detect malicious recordsdata when sure bits inside ZIP archives are altered.
It’s value noting that platforms reminiscent of Hugging Face make the most of picklescan as a part of their safety measures to establish malicious AI fashions. The found vulnerabilities might enable malicious actors to bypass these safety checks, thereby posing a menace to builders who depend on open-source AI models, as they’ll result in “arbitrary code execution,” researchers famous. This implies, an attacker might probably take full management of a system.
“Given the function of picklescan throughout the wider AI/ML hygiene posture (e.g. when used with PyTorch), the vulnerabilities found by Sonatype could possibly be leveraged by menace actors to bypass malware scanning (no less than partially) and goal devs leveraging open supply AI,” researchers defined within the blog post.
Excellent news is that picklescan maintainer confirmed a powerful dedication to safety by promptly addressing vulnerabilities, releasing model 0.0.23, which patched flaws, minimizing the chance for malicious actors to use them.
Sonatype’s chief product officer, Mitchell Johnson, urges builders to keep away from utilizing pickle recordsdata from untrusted sources at any time when doable, and as an alternative make the most of safer file codecs. If pickle recordsdata have to be used, they need to solely be loaded in safe, managed environments. Furthermore, you will need to confirm the integrity of AI fashions by way of cryptographic signatures and checksums, and implementing multi-layered safety scanning.
The findings spotlight the rising want for superior, dependable safety measures in AI/ML pipelines. To mitigate the dangers, organizations ought to undertake practices reminiscent of using safer file codecs, using a number of safety scanning instruments, and monitoring for suspicious behaviour when loading pickle recordsdata.
