GHSA-769v-p64c-89pr: PyTorch Model Files Can Bypass Pickle Scanners via Unexpected Pickle Extensions

March 3, 2025

Picklescan fails to detect hidden pickle files embedded in PyTorch model archives due to its reliance on file extensions for detection. This allows an attacker to embed a secondary, malicious pickle file with a non-standard extension inside a model archive, which remains undetected by picklescan but is still loaded by PyTorch’s torch.load() function. This can lead to arbitrary code execution when the model is loaded.

References

github.com/advisories/GHSA-769v-p64c-89pr
github.com/mmaitre314/picklescan
github.com/mmaitre314/picklescan/commit/baf03faf88fece56a89534d12ce048e5ee36e50e
github.com/mmaitre314/picklescan/security/advisories/GHSA-769v-p64c-89pr

Detect and mitigate GHSA-769v-p64c-89pr with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →