Sonatype researchers uncover critical vulnerabilities in picklescan. Learn how these flaws impact AI model security, Hugging Face, and best practices for developers.
Cybersecurity researchers at Sonatype have identified several vulnerabilities within picklescan, a tool used for examining Python pickle files for malicious code. These files, commonly used for storing and retrieving machine learning models, pose a security risk due to their ability to execute arbitrary code during the process of retrieving the stored data.
According to Sonatype’s analysis, shared with Hackread.com, in total four vulnerabilities were found:
- CVE-2025-1716– allows attackers to bypass the tool’s checks and execute harmful code;
- CVE-2025-1889– failure to detect hidden malicious files due to its reliance on file extensions;
- CVE-2025-1944– can be exploited by manipulating ZIP archive filenames to cause the tool to malfunction;
- CVE-2025-1945– failure to detect malicious files when certain bits within ZIP archives are altered.
It is worth noting that platforms such as Hugging Face utilize picklescan as part of their security measures to identify malicious AI models. The discovered vulnerabilities could allow malicious actors to bypass these security checks, thereby posing a threat to developers who rely on open-source AI models, as they can lead to “arbitrary code execution,” researchers noted. This means, an attacker could possibly take complete control of a system.
“Given the role of picklescan within the wider AI/ML hygiene posture (e.g. when used with PyTorch), the vulnerabilities discovered by Sonatype could be leveraged by threat actors to bypass malware scanning (at least in part) and target devs leveraging open source AI,” researchers explained in the blog post.
Good news is that picklescan maintainer showed a strong commitment to security by promptly addressing vulnerabilities, releasing version 0.0.23, which patched flaws, minimizing the opportunity for malicious actors to exploit them.
Sonatype’s chief product officer, Mitchell Johnson, urges developers to avoid using pickle files from untrusted sources whenever possible, and instead utilize safer file formats. If pickle files must be used, they should only be loaded in secure, controlled environments. Moreover, it is important to verify the integrity of AI models through cryptographic signatures and checksums, and implementing multi-layered security scanning.
The findings highlight the growing need for advanced, reliable security measures in AI/ML pipelines. To mitigate the risks, organizations should adopt practices such as utilizing safer file formats, employing multiple security scanning tools, and monitoring for suspicious behaviour when loading pickle files.
