The JFrog security research team has disclosed three zero-day vulnerabilities in PickleScan, a widely used tool for scanning Python pickle files, warning that the flaws could enable large-scale software supply chain attacks, particularly for organisations using the PyTorch machine-learning framework.
All three vulnerabilities are rated Critical with a CVSS score of 9.3. According to JFrog, attackers could exploit the issues to bypass PickleScan’s defences and execute arbitrary code by loading untrusted PyTorch models. The company said this poses a significant risk given PyTorch’s widespread use and the more than 200,000 publicly available models that can be downloaded from online repositories.
Because pickle files can embed executable code, scanning tools like PickleScan are used to prevent malicious payloads from being executed during model loading. JFrog said the newly identified issues show that standard scanning mechanisms can be circumvented, creating an opening for models containing hidden malware to be deployed into production environments.
JFrog Security Researcher David Cohen said AI libraries are expanding faster than traditional security tools can adapt, increasing the risk of unanticipated attack techniques. He said the increasing complexity of frameworks like PyTorch — with frequent updates, new model formats and evolving execution paths — widens the gap between innovation and protection.
Cohen said the industry needs a research-driven security layer that continuously analyses AI models, tracks library changes and identifies emerging exploitation methods. “This widening gap leaves organizations exposed to emerging threats that conventional tools simply weren’t designed to anticipate,” he said. “By actively analysing new models and uncovering novel exploitation techniques, this approach delivers adaptive, intelligence-driven protection against the vulnerabilities that matter most.”
JFrog has published a detailed technical analysis of the vulnerabilities and recommended that organisations treat untrusted PyTorch models as potentially dangerous until updated mitigation tools are available.