CVE-2025-10155: Picklescan Bypass is Possible via File Extension Mismatch
(updated )
Picklescan can be bypassed, allowing the detection of malicious pickle files to fail, when a standard pickle file is given a PyTorch-related file extension (e.g., .bin). This occurs because the scanner prioritizes PyTorch file extension checks and errors out when parsing a standard pickle file with such an extension instead of falling back to standard pickle analysis. This vulnerability allows attackers to disguise malicious pickle payloads within files that would otherwise be scanned for pickle-based threats.
References
- github.com/advisories/GHSA-jgw4-cr84-mqxg
- github.com/mmaitre314/picklescan
- github.com/mmaitre314/picklescan/blob/58983e1c20973ac42f2df7ff15d7c8cd32f9b688/src/picklescan/scanner.py
- github.com/mmaitre314/picklescan/commit/28a7b4ef753466572bda3313737116eeb9b4e5c5
- github.com/mmaitre314/picklescan/security/advisories/GHSA-jgw4-cr84-mqxg
- nvd.nist.gov/vuln/detail/CVE-2025-10155
Code Behaviors & Features
Detect and mitigate CVE-2025-10155 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →