CVE-2025-10156: Picklescan: ZIP archive scan bypass is possible through non-exhaustive Cyclic Redundancy Check
(updated )
Picklescan’s ability to scan ZIP archives for malicious pickle files is compromised when the archive contains a file with a bad Cyclic Redundancy Check (CRC). Instead of attempting to scan the files within the archive, whatever the CRC is, Picklescan fails in error and returns no results. This allows attackers to potentially hide malicious pickle payloads within ZIP archives that PyTorch might still be able to load (as PyTorch often disables CRC checks).
References
- github.com/advisories/GHSA-mjqp-26hc-grxg
- github.com/mmaitre314/picklescan
- github.com/mmaitre314/picklescan/blob/v0.0.29/src/picklescan/relaxed_zipfile.py
- github.com/mmaitre314/picklescan/commit/28a7b4ef753466572bda3313737116eeb9b4e5c5
- github.com/mmaitre314/picklescan/security/advisories/GHSA-mjqp-26hc-grxg
- huggingface.co/jinaai/jina-embeddings-v2-base-en/resolve/main/pytorch_model.bin?download=true
- huggingface.co/jinaai/jina-embeddings-v2-base-en/tree/main
- nvd.nist.gov/vuln/detail/CVE-2025-10156
Code Behaviors & Features
Detect and mitigate CVE-2025-10156 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →