PickleScan ZIP Header Manipulation Vulnerability in PyTorch Model Archives

A vulnerability exists in PickleScan versions prior to 0.0.23, where the tool fails to detect malicious pickle files embedded in PyTorch model archives. This issue arises when certain ZIP file flag bits are altered, allowing attackers to insert harmful pickle files that evade PickleScan's scrutiny but are still executed by PyTorch's loading mechanism. The vulnerability can lead to arbitrary code execution upon loading a compromised model.

Impact

Exploitation of this vulnerability allows for the insertion of malicious pickle payloads into PyTorch models, bypassing PickleScan's detection and executing the payloads when the models are loaded. This could facilitate machine learning supply chain attacks, where backdoored models are distributed on platforms like Hugging Face or PyTorch Hub.

Reproduction

The vulnerability can be reproduced by saving a PyTorch model and then modifying the ZIP file that contains the model to include a malicious pickle file. This is done by flipping specific bits in the ZIP file header, which prevents PickleScan from properly scanning the archive while still allowing PyTorch to load the model. Once the model is loaded, the malicious code embedded in the pickle file is executed, demonstrating the vulnerability.

Remediation

Users can upgrade to PickleScan version 0.0.23 or later, which addresses this vulnerability. Instructions for upgrading can be found on the PickleScan PyPI page.