Research note
Public advisories for CVE-2025-10156 describe affected PickleScan releases before 0.0.31. The issue concerns ZIP archive scanning behavior in a tool that teams may rely on before accepting pickle-containing or PyTorch model artifacts.
Covered by FixVibe
FixVibe GitHub repo scans can report repository dependency evidence for the PyPI picklescan package when manifests or lockfiles resolve to an affected range. The finding is a version-based advisory: it explains the observed package evidence, the public advisory IDs, the affected range, the fixed version, confidence, source quality, and the limits of what was verified.
What FixVibe verifies
FixVibe verifies that the authorized repository snapshot contains PickleScan dependency evidence matching the public affected range. Exact lockfile or manifest pins provide the strongest signal. Broader manifest constraints are reported only when they clearly allow affected releases.
What FixVibe does not verify
FixVibe does not execute PickleScan, create corrupted ZIP or model archives, scan model files, run PyTorch, load pickle data, prove a scan bypass, or prove runtime code execution. A repository dependency match should be treated as upgrade evidence and model-ingestion review context, not as proof that an exploitable production workflow is present.
Recommended remediation
Upgrade picklescan to 0.0.31 or newer in the dependency source that controls deployment, regenerate the active lockfile, and rebuild any CI, model-ingestion, training, inference, notebook, worker, or security-scanning runtime that runs PickleScan. Review model-ingestion workflows so scan errors fail closed and model artifacts come from trusted or provenance-checked sources. Use benign archive and model smoke tests for verification.
