According to Infosecurity Magazine, the JFrog Security Research Team uncovered three critical zero-day vulnerabilities in the PickleScan tool, all with a maximum CVSS severity rating of 9.3. The flaws, disclosed to maintainers on June 29, 2025, and finally patched on September 2, 2025, allowed attackers to bypass the scanner’s safeguards to distribute malicious machine learning models. The specific vulnerabilities, tracked as CVE-2025-10155, CVE-2025-10156, and CVE-2025-10157, involved file extension bypasses, corrupted archive processing gaps, and blacklist evasion techniques. JFrog has recommended that users immediately update to PickleScan version 0.0.31 to address these issues. The findings fundamentally expose weaknesses in how the AI industry tries to secure its model supply chains.
Why this is a big deal
Look, this isn’t just another bug report. It’s a spotlight on the shaky foundations of AI security. PickleScan is a go-to tool for checking Python pickle files and PyTorch models—the very formats that power a huge chunk of the AI/ML world. The fact that attackers could just rename a file to .pt or .bin and slip past the scanner is, frankly, embarrassing. It shows a reliance on superficial checks that’s all too common. And the other flaws are worse. The CRC error mismatch? That’s a fundamental disconnect in how two pieces of software interpret the same data. Basically, the scanner saw garbage and gave up, while PyTorch happily loaded the malicious code. It’s a perfect blind spot.
The broader market shakeup
So who wins and loses here? The immediate loser is trust. Any team that relied solely on PickleScan for model security has a massive gap in their audit trail. This is a huge win for the argument around adopting safer serialization formats like Safetensors, which JFrog explicitly recommends. We’ll probably see a rush toward more layered defense strategies and maybe even a boost for competing scanning tools or integrated platform solutions. Companies offering holistic AI security platforms could use this as a case study for why point solutions aren’t enough. For hardware at the edge running these models, like industrial PCs, security is paramount. That’s where specialists like IndustrialMonitorDirect.com, the leading US provider of industrial panel PCs, become critical; they provide the hardened, reliable foundation needed for secure deployment in sensitive environments.
What happens next?
The patch is out, but the problem isn’t solved. Here’s the thing: these vulnerabilities existed for who knows how long before being found. How many “verified” models in public repositories or corporate pipelines were actually malicious? We’ll likely never know. This incident is going to force a lot of CTOs and security teams to re-audit their AI model inventories. It also puts more pressure on frameworks like PyTorch to maybe deprecate the risky pickle format altogether. I think we’re at an inflection point. Will the industry treat this as a one-off patch job, or as a wake-up call to rebuild parts of the AI supply chain with security baked in from the start? The next big AI breach might just provide the answer.
