{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-1944", "assignerOrgId": "103e4ec9-0a87-450b-af77-479448ddef11", "state": "PUBLISHED", "assignerShortName": "Sonatype", "dateReserved": "2025-03-04T12:59:33.809Z", "datePublished": "2025-03-10T11:30:32.896Z", "dateUpdated": "2025-03-10T12:09:36.612Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "picklescan", "vendor": "mmaitre314", "versions": [{"lessThan": "0.0.23", "status": "affected", "version": "0.0.1", "versionType": "python"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Trevor Madge (@madgetr) of Sonatype"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "picklescan before 0.0.23 is vulnerable to a ZIP archive manipulation attack that causes it to crash when attempting to extract and scan PyTorch model archives. By modifying the filename in the ZIP header while keeping the original filename in the directory listing, an attacker can make PickleScan raise a BadZipFile error. However, PyTorch's more forgiving ZIP implementation still allows the model to be loaded, enabling malicious payloads to bypass detection.<br>"}], "value": "picklescan before 0.0.23 is vulnerable to a ZIP archive manipulation attack that causes it to crash when attempting to extract and scan PyTorch model archives. By modifying the filename in the ZIP header while keeping the original filename in the directory listing, an attacker can make PickleScan raise a BadZipFile error. However, PyTorch's more forgiving ZIP implementation still allows the model to be loaded, enabling malicious payloads to bypass detection."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.3, "baseSeverity": "MEDIUM", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-345", "description": "CWE-345 Insufficient Verification of Data Authenticity", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "103e4ec9-0a87-450b-af77-479448ddef11", "shortName": "Sonatype", "dateUpdated": "2025-03-10T11:30:32.896Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1944"}, {"tags": ["vendor-advisory"], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-7q5r-7gvp-wc82"}, {"tags": ["patch"], "url": "https://github.com/mmaitre314/picklescan/commit/e58e45e0d9e091159c1554f9b04828bbb40b9781"}], "source": {"discovery": "UNKNOWN"}, "title": "picklescan ZIP archive manipulation attack leads to crash", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-10T12:08:11.236471Z", "id": "CVE-2025-1944", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-10T12:09:36.612Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1944", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-10T12:08:11.236471Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-10T12:09:21.792Z"}}], "cna": {"title": "picklescan ZIP archive manipulation attack leads to crash", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Trevor Madge (@madgetr) of Sonatype"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "mmaitre314", "product": "picklescan", "versions": [{"status": "affected", "version": "0.0.1", "lessThan": "0.0.23", "versionType": "python"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1944", "tags": ["third-party-advisory"]}, {"url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-7q5r-7gvp-wc82", "tags": ["vendor-advisory"]}, {"url": "https://github.com/mmaitre314/picklescan/commit/e58e45e0d9e091159c1554f9b04828bbb40b9781", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "picklescan before 0.0.23 is vulnerable to a ZIP archive manipulation attack that causes it to crash when attempting to extract and scan PyTorch model archives. By modifying the filename in the ZIP header while keeping the original filename in the directory listing, an attacker can make PickleScan raise a BadZipFile error. However, PyTorch's more forgiving ZIP implementation still allows the model to be loaded, enabling malicious payloads to bypass detection.", "supportingMedia": [{"type": "text/html", "value": "picklescan before 0.0.23 is vulnerable to a ZIP archive manipulation attack that causes it to crash when attempting to extract and scan PyTorch model archives. By modifying the filename in the ZIP header while keeping the original filename in the directory listing, an attacker can make PickleScan raise a BadZipFile error. However, PyTorch's more forgiving ZIP implementation still allows the model to be loaded, enabling malicious payloads to bypass detection.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-345", "description": "CWE-345 Insufficient Verification of Data Authenticity"}]}], "providerMetadata": {"orgId": "103e4ec9-0a87-450b-af77-479448ddef11", "shortName": "Sonatype", "dateUpdated": "2025-03-10T11:30:32.896Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1944", "state": "PUBLISHED", "dateUpdated": "2025-03-10T12:09:36.612Z", "dateReserved": "2025-03-04T12:59:33.809Z", "assignerOrgId": "103e4ec9-0a87-450b-af77-479448ddef11", "datePublished": "2025-03-10T11:30:32.896Z", "assignerShortName": "Sonatype"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mmaitre314:picklescan:*:*:*:*:*:*:*:*", "matchCriteriaId": "B21661AE-0228-49C7-A966-4FDA8DAF0C0B", "versionEndExcluding": "0.0.23", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "picklescan before 0.0.23 is vulnerable to a ZIP archive manipulation attack that causes it to crash when attempting to extract and scan PyTorch model archives. By modifying the filename in the ZIP header while keeping the original filename in the directory listing, an attacker can make PickleScan raise a BadZipFile error. However, PyTorch's more forgiving ZIP implementation still allows the model to be loaded, enabling malicious payloads to bypass detection."}, {"lang": "es", "value": "Las versiones anteriores a la versi\u00f3n 0.0.23 de picklescan son vulnerables a un ataque de manipulaci\u00f3n de archivos ZIP que provoca que se bloquee al intentar extraer y escanear archivos de modelos de PyTorch. Al modificar el nombre del archivo en el encabezado ZIP y mantener el nombre del archivo original en la lista de directorios, un atacante puede hacer que PickleScan genere un error BadZipFile. Sin embargo, la implementaci\u00f3n ZIP m\u00e1s indulgente de PyTorch a\u00fan permite cargar el modelo, lo que permite que las cargas maliciosas eludan la detecci\u00f3n."}], "id": "CVE-2025-1944", "lastModified": "2025-03-19T16:11:29.113", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "103e4ec9-0a87-450b-af77-479448ddef11", "type": "Secondary"}]}, "published": "2025-03-10T12:15:10.967", "references": [{"source": "103e4ec9-0a87-450b-af77-479448ddef11", "tags": ["Patch"], "url": "https://github.com/mmaitre314/picklescan/commit/e58e45e0d9e091159c1554f9b04828bbb40b9781"}, {"source": "103e4ec9-0a87-450b-af77-479448ddef11", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-7q5r-7gvp-wc82"}, {"source": "103e4ec9-0a87-450b-af77-479448ddef11", "tags": ["Exploit", "Third Party Advisory"], "url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1944"}], "sourceIdentifier": "103e4ec9-0a87-450b-af77-479448ddef11", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-345"}], "source": "103e4ec9-0a87-450b-af77-479448ddef11", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}