VulnerableCode Package Details - pkg:pypi/picklescan@0.0.23

Search for packages

Vulnerability	Summary	Fixed by
VCID-2syv-syp1-6yhk Aliases: CVE-2025-10155 GHSA-jgw4-cr84-mqxg PYSEC-2025-151	An Improper Input Validation vulnerability in the scanning logic of mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass pickle files security checks by supplying a standard pickle file with a PyTorch-related file extension. When the pickle file incorrectly considered safe is loaded, it can lead to the execution of malicious code.	0.0.31 Affected by 0 other vulnerabilities.
VCID-auku-kbg2-2ybg Aliases: CVE-2025-10156 GHSA-mjqp-26hc-grxg PYSEC-2025-152	An Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 picklescan allows a remote attacker to bypass security scans. This is achieved by crafting a ZIP archive containing a file with a bad Cyclic Redundancy Check (CRC), which causes the scanner to halt and fail to analyze the contents for malicious pickle files. When the file incorrectly considered safe is loaded, it can lead to the execution of malicious code.	0.0.31 Affected by 0 other vulnerabilities.
VCID-avk4-jaz6-m3gw Aliases: CVE-2025-10157 GHSA-f7qq-56ww-84cr PYSEC-2025-153	A Protection Mechanism Failure vulnerability in mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass the unsafe globals check. This is possible because the scanner performs an exact match for module names, allowing malicious payloads to be loaded via submodules of dangerous packages (e.g., 'asyncio.unix_events' instead of 'asyncio'). When the incorrectly considered safe file is loaded after scan, it can lead to the execution of malicious code.	0.0.31 Affected by 0 other vulnerabilities.
VCID-jfcq-vpg2-pkdn Aliases: CVE-2025-46417 GHSA-93mv-x874-956g PYSEC-2025-34	The unsafe globals in Picklescan before 0.0.25 do not include ssl. Consequently, ssl.get_server_certificate can exfiltrate data via DNS after deserialization.	0.0.25 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-2syv-syp1-6yhk
Aliases:
CVE-2025-10155
GHSA-jgw4-cr84-mqxg
PYSEC-2025-151

An Improper Input Validation vulnerability in the scanning logic of mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass pickle files security checks by supplying a standard pickle file with a PyTorch-related file extension. When the pickle file incorrectly considered safe is loaded, it can lead to the execution of malicious code.

0.0.31
Affected by 0 other vulnerabilities.

VCID-auku-kbg2-2ybg
Aliases:
CVE-2025-10156
GHSA-mjqp-26hc-grxg
PYSEC-2025-152

An Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 picklescan allows a remote attacker to bypass security scans. This is achieved by crafting a ZIP archive containing a file with a bad Cyclic Redundancy Check (CRC), which causes the scanner to halt and fail to analyze the contents for malicious pickle files. When the file incorrectly considered safe is loaded, it can lead to the execution of malicious code.

0.0.31
Affected by 0 other vulnerabilities.

VCID-avk4-jaz6-m3gw
Aliases:
CVE-2025-10157
GHSA-f7qq-56ww-84cr
PYSEC-2025-153

A Protection Mechanism Failure vulnerability in mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass the unsafe globals check. This is possible because the scanner performs an exact match for module names, allowing malicious payloads to be loaded via submodules of dangerous packages (e.g., 'asyncio.unix_events' instead of 'asyncio'). When the incorrectly considered safe file is loaded after scan, it can lead to the execution of malicious code.

0.0.31
Affected by 0 other vulnerabilities.

VCID-jfcq-vpg2-pkdn
Aliases:
CVE-2025-46417
GHSA-93mv-x874-956g
PYSEC-2025-34

The unsafe globals in Picklescan before 0.0.25 do not include ssl. Consequently, ssl.get_server_certificate can exfiltrate data via DNS after deserialization.

0.0.25
Affected by 3 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-ag3v-g92v-kbde	picklescan before 0.0.23 fails to detect malicious pickle files inside PyTorch model archives when certain ZIP file flag bits are modified. By flipping specific bits in the ZIP file headers, an attacker can embed malicious pickle files that remain undetected by PickleScan while still being successfully loaded by PyTorch's torch.load(). This can lead to arbitrary code execution when loading a compromised model.	CVE-2025-1945 GHSA-w8jq-xcqf-f792 PYSEC-2025-21
VCID-w2h9-74te-tqhc	picklescan before 0.0.23 is vulnerable to a ZIP archive manipulation attack that causes it to crash when attempting to extract and scan PyTorch model archives. By modifying the filename in the ZIP header while keeping the original filename in the directory listing, an attacker can make PickleScan raise a BadZipFile error. However, PyTorch's more forgiving ZIP implementation still allows the model to be loaded, enabling malicious payloads to bypass detection.	CVE-2025-1944 GHSA-7q5r-7gvp-wc82 PYSEC-2025-20

Vulnerability

Summary

Aliases

VCID-ag3v-g92v-kbde

picklescan before 0.0.23 fails to detect malicious pickle files inside PyTorch model archives when certain ZIP file flag bits are modified. By flipping specific bits in the ZIP file headers, an attacker can embed malicious pickle files that remain undetected by PickleScan while still being successfully loaded by PyTorch's torch.load(). This can lead to arbitrary code execution when loading a compromised model.

CVE-2025-1945
GHSA-w8jq-xcqf-f792
PYSEC-2025-21

VCID-w2h9-74te-tqhc

picklescan before 0.0.23 is vulnerable to a ZIP archive manipulation attack that causes it to crash when attempting to extract and scan PyTorch model archives. By modifying the filename in the ZIP header while keeping the original filename in the directory listing, an attacker can make PickleScan raise a BadZipFile error. However, PyTorch's more forgiving ZIP implementation still allows the model to be loaded, enabling malicious payloads to bypass detection.

CVE-2025-1944
GHSA-7q5r-7gvp-wc82
PYSEC-2025-20

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:23:20.245328+00:00	Pypa Importer	Affected by	VCID-avk4-jaz6-m3gw	https://github.com/pypa/advisory-database/blob/main/vulns/picklescan/PYSEC-2025-153.yaml	38.6.0
2026-06-02T04:23:20.097568+00:00	Pypa Importer	Affected by	VCID-auku-kbg2-2ybg	https://github.com/pypa/advisory-database/blob/main/vulns/picklescan/PYSEC-2025-152.yaml	38.6.0
2026-06-02T04:23:19.933495+00:00	Pypa Importer	Affected by	VCID-2syv-syp1-6yhk	https://github.com/pypa/advisory-database/blob/main/vulns/picklescan/PYSEC-2025-151.yaml	38.6.0
2026-06-02T04:22:59.563839+00:00	Pypa Importer	Affected by	VCID-jfcq-vpg2-pkdn	https://github.com/pypa/advisory-database/blob/main/vulns/picklescan/PYSEC-2025-34.yaml	38.6.0
2026-06-02T04:22:51.324676+00:00	Pypa Importer	Fixing	VCID-ag3v-g92v-kbde	https://github.com/pypa/advisory-database/blob/main/vulns/picklescan/PYSEC-2025-21.yaml	38.6.0
2026-06-02T04:22:51.192564+00:00	Pypa Importer	Fixing	VCID-w2h9-74te-tqhc	https://github.com/pypa/advisory-database/blob/main/vulns/picklescan/PYSEC-2025-20.yaml	38.6.0