CVE-2025-1944

  1. Yack CVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-1944

6.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

p

icklescan before 0.0.23 is vulnerable to a ZIP archive manipulation attack that causes it to crash when attempting to extract and scan PyTorch model archives. By modifying the filename in the ZIP header while keeping the original filename in the directory listing, an attacker can make PickleScan raise a BadZipFile error. However, PyTorch's more forgiving ZIP implementation still allows the model to be loaded, enabling malicious payloads to bypass detection.

References
Link Resource
https://github.com/mmaitre314/picklescan/commit/e58e45e0d9e091159c1554f9b04828bbb40b9781 Patch
https://github.com/mmaitre314/picklescan/security/advisories/GHSA-7q5r-7gvp-wc82 Exploit Vendor Advisory
https://www.sonatype.com/security-advisories/cve-2025-1944
Configurations

Configuration 1 (hide)

cpe:2.3:a:mmaitre314:picklescan:*:*:*:*:*:*:*:*
History

29 Dec 2025, 15:16

Type Values Removed Values Added
References
  • {'url': 'https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1944', 'tags': ['Exploit', 'Third Party Advisory'], 'source': '103e4ec9-0a87-450b-af77-479448ddef11'}
  • () https://www.sonatype.com/security-advisories/cve-2025-1944 -

19 Mar 2025, 16:11

Type Values Removed Values Added
First Time Mmaitre314 picklescan
Mmaitre314
CWE NVD-CWE-noinfo
References () https://github.com/mmaitre314/picklescan/commit/e58e45e0d9e091159c1554f9b04828bbb40b9781 - () https://github.com/mmaitre314/picklescan/commit/e58e45e0d9e091159c1554f9b04828bbb40b9781 - Patch
References () https://github.com/mmaitre314/picklescan/security/advisories/GHSA-7q5r-7gvp-wc82 - () https://github.com/mmaitre314/picklescan/security/advisories/GHSA-7q5r-7gvp-wc82 - Exploit, Vendor Advisory
References () https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1944 - () https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1944 - Exploit, Third Party Advisory
CPE cpe:2.3:a:mmaitre314:picklescan:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 6.5

10 Mar 2025, 12:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-03-10 12:15

Updated : 2025-12-29 15:16

NVD link : CVE-2025-1944

Mitre link : CVE-2025-1944

CVE.ORG link : CVE-2025-1944

JSON object : View

Products Affected

mmaitre314

CWE
CWE-345

Insufficient Verification of Data Authenticity

NVD-CWE-noinfo