CVE-2025-10155 CRITICAL

CVE-2025-10155: PickleScan Security Bypass Using Misleading File Extension

Vendor Mmaitre314
Product picklescan
Weakness CWE-20 · Input validation
Published September 17, 2025
Last update September 17, 2025

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

An Improper Input Validation vulnerability in the scanning logic of mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass pickle files security checks by supplying a standard pickle file with a PyTorch-related file extension. When the pickle file incorrectly considered safe is loaded, it can lead to the execution of malicious code.

Key dates

02Disclosure timeline

September 17, 2025 CVE published
September 17, 2025 Record updated