PyTorch Users at Risk: Unveiling 3 Zero-Day PickleScan Vulnerabilities

JFrog Security Research uncovered three critical zero-day vulnerabilities in PickleScan, a widely used tool for scanning machine learning models for malicious content, which could allow attackers to bypass its malware detection capabilities. These vulnerabilities enable potential supply chain attacks by allowing malicious ML models to evade detection and execute harmful actions when loaded. PickleScan, recognized as an industry standard and integrated into platforms like Hugging Face, relies on blacklist-based detection, which has limitations in identifying new threats. The vulnerabilities include file extension bypass, CRC bypass in ZIP archives, and unsafe globals check bypass with subclass imports, each allowing malicious actors to circumvent PickleScan's security measures. Despite the rapid advancements in AI, data scientists often prioritize speed over security, leading to continued use of insecure formats like Pickle. JFrog recommends updating PickleScan to version 0.0.31, implementing layered defenses, and transitioning to safer serialization formats like Safetensors to mitigate these risks. JFrog's approach to addressing these challenges includes continuous research, multi-layered analysis, and integration with existing DevOps workflows, ensuring comprehensive protection for AI and ML environments.