Security researchers have discovered significant vulnerabilities in Picklescan, a tool designed to detect malicious code within machine learning (ML) models. The flaws allowed specially crafted malicious PyTorch models to bypass the scanner’s security checks and achieve arbitrary code execution when loaded.

The findings, detailed by the cybersecurity firm Trail of Bits, reveal that Picklescan failed to correctly parse certain elements of the Pickle and PyTorch file formats. This oversight created security gaps that threat actors could exploit. An attacker could construct a PyTorch model that Picklescan would incorrectly flag as safe, while the model still contained and could execute harmful code upon deserialization by a program using the standard torch.load() function.

Details of the Scan Evasion Techniques

Trail of Bits identified multiple bypass methods that exploited the parsing deficiencies in Picklescan. One of the primary techniques involved the improper handling of PyTorch Tensors’ storage objects. Attackers could embed malicious bytecode within the model in a way that was ignored by Picklescan’s static analysis but was processed and executed by the legitimate PyTorch loading mechanism.

Another identified vulnerability related to how Picklescan handled the __setstate__ method, a Python function used during object deserialization. By manipulating this process, an attacker could create a model that passed the scan but would trigger code execution once loaded into a project. The core issue was that Picklescan’s safety checks were not comprehensive enough to cover all the ways the Pickle format can be structured and manipulated within a PyTorch model file.

Implications for Machine Learning Security

The discovery of these vulnerabilities underscores the inherent risks associated with loading untrusted ML models. The Pickle format, widely used for serializing Python objects, is known to be insecure against maliciously constructed data. Tools like Picklescan were created specifically to mitigate this risk by scanning model files for known dangerous patterns before they are loaded.

The successful bypass of these scans demonstrates the complexity of securing the ML supply chain. The vulnerabilities proved that even when security tools are in use, subtle implementation flaws can undermine their effectiveness. Following the responsible disclosure by Trail of Bits, the identified issues in Picklescan have been addressed and patched by its developers.

Source: https://thehackernews.com/2025/12/picklescan-bugs-allow-malicious-pytorch.html