PickleScan Exposes Arbitrary Code Execution Via Malicious PyTorch Models
On 2025-12-04, security researchers disclosed multiple critical zero-day vulnerabilities in PickleScan, an open-source tool widely used to scan PyTorch models saved with Python's pickle format. The flaws allow arbitrary code execution when scanning malicious pickled models, affecting users and platforms including Hugging Face and increasing supply-chain risk for ML practitioners.
Key Points
- 1Identify multiple critical zero-day vulnerabilities in PickleScan enabling arbitrary code execution from malicious pickled models
- 2Affects model-sharing platforms including Hugging Face, broadening attack surface across the ML supply chain
- 3Require practitioners to avoid loading untrusted pickles, update scanners, and apply mitigations to prevent exploitation
Scoring Rationale
High severity and broad ML ecosystem impact, but limited verification or official patches at time of reporting.
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems


