FixVibe
FixVibe द्वारा कवर किया गयाhigh

PickleScan ZIP Archive Scan Bypass (CVE-2025-10156)

FixVibe can flag repositories that declare PickleScan versions before 0.0.31, which public advisories associate with a ZIP archive scan-bypass issue. The scanner reports dependency evidence, affected range, fixed version, confidence, and what was not verified; it does not run PickleScan, create corrupted archives, load models, or prove code execution.

CVE-2025-10156GHSA-mjqp-26hc-grxgPYSEC-2025-152CWE-755CWE-693

Research note

Public advisories for CVE-2025-10156 describe affected PickleScan releases before 0.0.31. The issue concerns ZIP archive scanning behavior in a tool that teams may rely on before accepting pickle-containing or PyTorch model artifacts.

Covered by FixVibe

FixVibe GitHub repo scans can report repository dependency evidence for the PyPI picklescan package when manifests or lockfiles resolve to an affected range. The finding is a version-based advisory: it explains the observed package evidence, the public advisory IDs, the affected range, the fixed version, confidence, source quality, and the limits of what was verified.

What FixVibe verifies

FixVibe verifies that the authorized repository snapshot contains PickleScan dependency evidence matching the public affected range. Exact lockfile or manifest pins provide the strongest signal. Broader manifest constraints are reported only when they clearly allow affected releases.

What FixVibe does not verify

FixVibe does not execute PickleScan, create corrupted ZIP or model archives, scan model files, run PyTorch, load pickle data, prove a scan bypass, or prove runtime code execution. A repository dependency match should be treated as upgrade evidence and model-ingestion review context, not as proof that an exploitable production workflow is present.

Upgrade picklescan to 0.0.31 or newer in the dependency source that controls deployment, regenerate the active lockfile, and rebuild any CI, model-ingestion, training, inference, notebook, worker, or security-scanning runtime that runs PickleScan. Review model-ingestion workflows so scan errors fail closed and model artifacts come from trusted or provenance-checked sources. Use benign archive and model smoke tests for verification.

PickleScan ZIP Archive Scan Bypass (CVE-2025-10156) — FixVibe research · FixVibe