PickleScan Uncovers 0-Day Vulnerabilities Allowing Arbitrary Code Execution via Malicious PyTorch Models

Intro: A watershed moment for ML security and the fragility of model supply chains

In a development that rattled the machine learning risk landscape, JFrog Security Research disclosed three critical PickleScan zero-day vulnerabilities capable of enabling arbitrary code execution through malicious PyTorch models. While PickleScan is widely used to inspect ML artifacts for hidden malware and unsafe content, these flaws undermine the very guardianship it’s supposed to provide. The revelations highlight a worrisome paradox in modern software supply chains: tools designed to safeguard ML deployments can themselves become vectors for compromise if their parsing, deserialization, or content handling routines are misconfigured or inadequately sandboxed. For enterprises racing to modernize their data science operations, the discovery is a clarion call to reassess how model artifacts are ingested, scanned, and trusted across the pipeline. This piece unpacks what the PickleScan zero-day vulnerabilities mean, how they operate at a high level, the potential industry impact, and pragmatic steps organizations can take to strengthen defenses in 2025.

What are these PickleScan zero-day vulnerabilities?

The term PickleScan zero-day vulnerabilities refers to three distinct security flaws identified by JFrog Security Research that could let an attacker execute arbitrary code within a target system by feeding specially crafted PyTorch model payloads. In practice, these vulnerabilities exploit weaknesses in the way PickleScan handles deserialization, model metadata, and embedded executable content during the scanning process. The result is a scenario where a malicious PyTorch model—seemingly legitimate and undetected by normal malware checks—could trigger unauthorized actions once loaded by a downstream machine learning pipeline or serving environment.

Vulnerability 1: Deserialization weakness in the PyTorch model loader

Deserialization flaws are a well-documented risk in languages and toolchains that reconstruct objects from serialized data. In this first PickleScan zero-day vulnerability, an attacker could manipulate the deserialization pathway to cause code execution or to escalate privileges during the interpretation of a PyTorch model. Because deserialization is often used to preserve complex object graphs—weights, layers, and custom operations—the flaw leverages the intrinsic trust placed in the serialized content. The outcome is not merely a crash or denial of service; it can be the remote execution of arbitrary payloads inside the host that processes the model, particularly if safeguards such as isolated sandboxes and runtime checks are absent or misconfigured.

Vulnerability 2: Malicious metadata triggering unsafe evaluation

The second PickleScan zero-day vulnerability concerns the interpretation of model metadata. Attackers can craft metadata in ways that prompt PickleScan to evaluate or execute code during the inspection process. This is especially dangerous because metadata often travels through CI/CD pipelines, artifact repositories, and model registries, creating multiple touchpoints where the malicious signal can propagate. In practice, an attacker could embed executable hooks or payloads within metadata fields that the scanner interprets as legitimate configuration, enabling stealthy execution paths that bypass traditional malware detections.

Vulnerability 3: Embedded executable content within model artifacts

The third vulnerability exploits the presence of embedded content within the model artifact itself—custom operations, compiled extensions, or dynamic libraries packaged alongside PyTorch components. If PickleScan’s parsing logic does not strictly limit or sandbox the execution context, an attacker can place carefully crafted code into the artifact that, when unpacked or loaded, triggers arbitrary code execution. This route is particularly insidious because it leverages legitimate model packaging practices used by data science teams, blending malicious payloads with legitimate model components in a way that makes detection far more challenging for conventional scanners.

Why these flaws matter: The risk landscape for ML supply chains

To appreciate the severity of the PickleScan zero-day vulnerabilities, it’s essential to understand the broader risk ecosystem surrounding machine learning supply chains. Modern AI/ML deployments rely on a constellation of artifacts: pre-trained weights, custom layers, data processing scripts, transformation pipelines, and deployment configurations. Each artifact passes through multiple stages of development, testing, validation, and deployment, often across distributed teams and vendor ecosystems. When a single tool in that chain—such as a security scanner—becomes the attack surface, the entire chain is at risk.

Here are the core implications of these PickleScan zero-day vulnerabilities in practical terms:

• Undetectable payloads in deployed models: If a malicious model slips through the security perimeter undetected, it may activate in production environments, potentially altering inferences, exfiltrating data, or sabotaging results. The consequences range from data leakage to model poisoning and economic damage from manipulated outcomes.
• Supply chain compromise at scale: Large organizations commonly share models via registries and marketplaces. A single compromised artifact can propagate across dozens or hundreds of downstream projects, amplifying threat exposure and complicating incident response.
• Lurking risk for regulated industries: Sectors such as healthcare, finance, and critical infrastructure increasingly depend on ML models. A vulnerability of this kind can trigger regulatory scrutiny, breach notifications, and litigation risk if a deployment is implicated in a security incident.
• Operational disruption and downtime: Beyond security, a successful exploit could disrupt inference services, degrade model performance, or cause cascading failures in real-time decision systems critical for customer-facing applications.

Context: How PickleScan works and why the flaws are so dangerous

PickleScan is designed to oganize and inspect ML model artifacts for signs of tampering, malware, or policy violations. In theory, it acts as a sentinel—scanning models before they enter production and flagging potentially dangerous content. In practice, the effectiveness of such a tool hinges on the integrity of its parsing, evaluation, and sandboxing routines. The PickleScan zero-day vulnerabilities exploit fundamental weaknesses in these areas:

• Assumed trust in serialized content: Many security tools assume that deserialized data is safe or benign. When the tool’s design permits code execution as part of the deserialization process, attackers can pivot from detection to execution.
• Metadata as a threat vector: Metadata is typically treated as inert or advisory data. If a scanner evaluates metadata in a way that can trigger code or dynamic behavior, the boundary between data and code becomes dangerously blurred.
• Artifact bundling and extensions: The inclusion of custom PyTorch extensions or libraries is common in advanced ML workflows. If scanners do not strictly sandbox or validate these components, they provide a ready-made channel for exploitation.

Historical parallels: deserialization, YoMo and beyond

Deserialization vulnerabilities have a long and storied history in cybersecurity. Past incidents involving Python, Java, and JavaScript ecosystems show that deserializing untrusted input is a risky operation unless careful controls are in place. What makes the PickleScan zero-day vulnerabilities particularly concerning is their targeted relevance to ML pipelines. By focusing on PyTorch models and common ML artifact formats, attackers can more easily tailor exploits to a modern production environment, combining both security and data science risk in a single attack surface.

“We often underestimate the fragility of security tooling when it processes real-world data artifacts. The PickleScan zero-day vulnerabilities are a stark reminder that guardians must be resilient, not just reactive.”

Potential real-world impact scenarios

To translate risk into a narrative teams can act on, here are several plausible scenarios that illustrate how the PickleScan zero-day vulnerabilities could manifest in production ecosystems:

1. Model marketplace compromise: An attacker uploads a malicious PyTorch model to a public or partner marketplace. Data scientists download it for experimentation, and a few teams inadvertently enable the malicious payload in their inference pipelines. If PickleScan fails to detect the payload during scanning, the compromised model could execute arbitrary code once loaded into a production service.
2. CI/CD integration breach: In a continuous integration/continuous deployment (CI/CD) workflow, a compromised artifact passes through automated scans due to a misconfiguration or a gap in coverage. The malicious content then becomes part of a deployed model in production, leading to slow spoiling of model outputs or unauthorized actions triggered during inference.
3. Supply chain ripple effects: A single vulnerable artifact is used by multiple teams across an organization. A successful exploitation in one project can propagate through shared libraries, training pipelines, or feature stores, causing broad systemic risk and complicating remediation efforts.
4. Regulatory and reputational damage: For institutions under regulatory scrutiny, a zero-day crossing the model boundary could trigger breach disclosures, contractual penalties, or investor confidence erosion, especially in industries where ML decisions affect customer data or financial outcomes.

Mitigation: a multi-layered response plan for defenders

Given the sophistication of these PickleScan zero-day vulnerabilities, defensive strategies must be comprehensive, proactive, and integrated into the broader security and ML governance framework. Below are actionable steps organizations can take to reduce exposure and improve resilience in the face of this risk.

1) Strengthen model provenance and SBOMs

Implement a robust software bill of materials (SBOM) for ML artifacts, including model provenance, training data sources, and dependency graphs. By knowing exactly what comprises each model, teams can more easily detect anomalous components and track how artifacts move through the pipeline. A well-documented provenance chain also simplifies post-incident forensics and vendor risk assessments.

2) Harden scanning with defense-in-depth

Adopt a defense-in-depth approach to ML artifact scanning. This means combining:

• Pre-scan validation of artifacts in a trusted environment
• Multiple scanning tools that use different detection methodologies (signature-based, behavior-based, and anomaly detection)
• Sandboxed execution environments to observe runtime behavior without risking production systems
• Static and dynamic analysis of deserialization pathways, metadata handling, and embedded content

By layering protections, organizations reduce the likelihood that a single vulnerability in one tool—like the PickleScan zero-day flaws—will lead to a full-blown compromise.

3) Enforce strict sandboxing and runtime controls

Execute model loading and evaluation inside isolated sandboxes with restricted system calls, memory, and network access. This minimizes the impact of any potential code execution triggered by malicious artifacts and prevents lateral movement within a host or cluster.

4) Apply strict content validation and safe deserialization patterns

Where possible, avoid or minimize dynamic code execution during model loading. Use safe serializers and deserializers, explicit white-lists for allowed classes, and explicit versioning of the libraries involved. In PyTorch contexts, favor static graph approaches when feasible and isolate custom ops behind well-audited wrappers.

5) Strengthen CI/CD security practices for ML artifacts

Integrate vulnerability scanning into each stage of the ML deployment lifecycle. This includes gatekeeping steps where artifacts must pass all security checks before promotion, automatic rollback capabilities, and rapid patching workflows when new vulnerabilities are disclosed.

6) Implement robust access control and key management

Use principle of least privilege for artifact registries, enforce strong authentication (prefer hardware-backed tokens or FIDO2), and rotate access credentials regularly. Consider separating model development environments from production inference environments to limit the blast radius of any potential breach.

7) Enhance monitoring, detection, and incident response for ML services

Invest in anomaly detection tailored to ML inference, including monitoring for unusual data flows, unexpected system calls during model loading, and abnormal inference results. Establish an incident response playbook that covers ML-specific scenarios, such as rapid isolation of compromised models and validated recovery procedures.

8) Promote transparency and collaboration with vendors

Engage with toolmakers and ML platform providers to understand how recent PickleScan zero-day vulnerabilities are being addressed. Request timely patches, clear advisories, and guidance on safe deployment practices. Public-private collaboration remains a pillar of effective threat intelligence in AI security.

What JFrog Security Research disclosed and the path forward

JFrog Security Research’s findings on the PickleScan zero-day vulnerabilities underscore the need for timely vulnerability disclosure, rapid patching, and ongoing risk assessment for security tooling used in ML ecosystems. While the exact patch status and remediation steps will depend on vendor responses, organizations can prepare by tightening their ML security governance, improving artifact provenance, and reinforcing multi-layered defenses. The disclosure also catalyzes a broader conversation about the need for formalized security testing of ML scanning tools themselves, including rigorous fuzzing, dependency analysis, and differential testing to surface hard-to-find defects that could enable RCE or bypass detection.

Industry context: 2025 trends in ML security and supply chain integrity

The past few years have seen a shift in how organizations view AI risk, moving beyond model accuracy and fairness to encompass security, governance, and resilience. Some notable 2025 trends include:

• Growing emphasis on SBOMs for ML artifacts: Enterprises increasingly require traceability for every artifact used in model training, with suppliers expected to provide clear provenance and integrity checks.
• Security-by-design for ML tooling: Vendors are integrating security testing as a core feature, not an afterthought, with emphasis on deserialization safety, sandboxing, and restricted runtime environments.
• Unified risk dashboards for AI supply chains: Organizations adopt centralized dashboards that correlate vulnerabilities, policy violations, and deployment risk across ML pipelines and production services.
• Zero-trust principles in ML deployment: Models and data sources are treated as untrusted by default, with strong verification and continuous monitoring at every stage of the lifecycle.

Pros and cons of relying on security scanners for ML artifacts

As with any security technology, ML artifact scanners offer benefits and caveats. Understanding these helps organizations make informed choices about tooling, configuration, and risk appetite.

• Pros:
  • Automates an essential guardrail against malicious models and tampered artifacts.
  • Scales across large model portfolios and pipelines, reducing manual review burden.
  • Provides repeatable checks that support compliance and audit requirements.
• Cons:
  • Vulnerabilities in the scanners themselves (like the PickleScan zero-day flaws) can undermine trust in automated protections.
  • False positives and false negatives can erode confidence or create alert fatigue if not tuned properly.
  • Overreliance on a single tool may obscure deeper supply chain risks that require governance and process improvements.

Conclusion: Navigating the era of AI security with vigilance and governance

The emergence of PickleScan zero-day vulnerabilities exposing the possibility of arbitrary code execution through malicious PyTorch models marks a pivotal moment in the security of AI systems. It reveals how the instruments meant to shield ML workflows can unintentionally create new risk vectors if their own processing paths are not safeguarded. For organizations, the path forward is clear: embrace a holistic approach to ML supply chain security that pairs robust tooling with governance, provenance, and incident readiness. By integrating multi-layered defenses, enforcing strict model provenance, and championing secure design principles across the ML lifecycle, teams can reduce exposure to the PickleScan zero-day class of risks and position themselves to respond rapidly when vulnerabilities surface.

FAQ: Common questions about PickleScan zero-day vulnerabilities and defense strategies

Q: What is PickleScan, and why is it important?

A: PickleScan is a widely used security tool designed to inspect machine learning artifacts for malware and unsafe content. Its role is to guard ML pipelines by scanning models, data processing scripts, and related artifacts before deployment. The discovery of PickleScan zero-day vulnerabilities highlights the risk that protective tools themselves can harbor exploitable flaws.

Q: How do the PickleScan zero-day vulnerabilities enable arbitrary code execution?

A: The three flaws center on deserialization, metadata handling, and embedded executable content within PyTorch model artifacts. Each pathway can trigger code execution when processing a compromised artifact, effectively turning a legitimate security scanner into an execution gateway for attackers if proper containment and validation are not in place.

Q: Should my organization stop using PickleScan?

A: Not necessarily. Rather than abandoning the tool, organizations should immediately assess the vulnerability surface, apply patches or mitigations released by the vendor, adjust configurations to enforce stricter sandboxing, and augment the deployment with multi-layered security controls. A risk-based approach—balancing protection with operational needs—is recommended.

Q: What steps can teams take now to reduce risk?

A: Implement SBOMs for all ML artifacts, enforce sandboxed loading of models, enable multi-tool scanning with diverse detection methods, strengthen CI/CD gates for ML artifacts, and enhance monitoring and incident response dedicated to ML workloads. Ensure vendor communication lines are open for patch advisories and vulnerability disclosures.

Q: Will patches be available soon for PickleScan vulnerabilities?

A: Vendor responses vary, but responsible disclosure typically leads to patches, advisories, and recommended mitigations within weeks to a few months. Organizations should monitor official advisories, subscribe to threat intelligence feeds, and be prepared to apply updates promptly while validating compatibility with their production environments.

This coverage is part of LegacyWire’s ongoing commitment to providing clear, actionable security news for IT leaders and developers. As the AI ecosystem grows more complex, the integration of rigorous security practices with intelligent governance will determine how safely organizations can scale their ML capabilities and realize the promise of modern automation without compromising resilience.