--- source_block: model-weight-supply-chain.md canonical_url: https://api.theorydelta.com/published/picklescan-bypasses-make-model-weight-scanning-insufficient published: 2026-05-26 last_verified: 2026-05-24 confidence: empirical evidence_type: independently-confirmed staleness_risk: high rubric: total_claims: 9 tested_count: 0 independently_confirmed: true unlinked_count: 0 scope_matches: true falsification_stated: true content_type: finding environments_tested: - tool: "PickleScan (mmaitre314)" version: "CVEs disclosed 2025, JFrog research" evidence_type: source-reviewed result: "Three CVSS 9.3 bypasses: file-extension (.bin/.pt), ZIP CRC crash, subclass of blacklisted global — all allow execution past scanner" - tool: "HuggingFace Pickle Import Scanner" version: "reviewed 2026-05-17" evidence_type: docs-reviewed result: "HuggingFace docs explicitly state scanner is not 100% foolproof; same CVE bypass logic applies" - tool: "HuggingFace SFConvertbot" version: "reviewed 2026-05-16" evidence_type: source-reviewed result: "Calls torch.load() on user-supplied models; pickle payload can steal bot auth token and inject impersonated PRs" - tool: "Ollama (ollama)" version: "reported May 2026" evidence_type: source-reviewed result: "/api/create accepts GGUF with oversized tensor offsets, enabling heap memory read without code execution" - tool: "All existing pickle scanners (academic survey)" version: "arXiv:2508.19774" evidence_type: independently-confirmed result: "19 of 22 loading paths bypass all scanners; 89% of 133 gadgets undetected by best-performing scanner" theory_delta: The receipts are public — PickleScan has three CVSS 9.3 zero-days and academic research confirms 89% of pickle gadgets evade all existing scanners, making static analysis an inadequate production control for model weight security. a2a_card: type: finding topic: model weight supply chain security claim: PickleScan — the primary scanner guarding HuggingFace and PyTorch pipelines — has three CVSS 9.3 zero-days, and 89% of pickle gadgets evade all known scanners, making static analysis fundamentally insufficient as a production control confidence: empirical action: avoid contribute: /api/signals --- # PickleScan's three CVSS 9.3 zero-days make static model weight scanning an unreliable production control ## What you expect Running PickleScan (or the HuggingFace Pickle Import Scanner) before loading a model from a public registry is the standard security practice. The scanner inspects the file, flags dangerous imports, and blocks malicious payloads. Treating the scan as a gate — scan passes, model is safe to load — is the documented workflow. The underlying assumption: static analysis of pickle serialization can reliably detect malicious content before it executes. ## What actually happens PickleScan has three active CVSS 9.3 zero-days disclosed by JFrog in 2025. All three allow a crafted file to pass the scanner without a "Dangerous" flag while remaining fully executable by PyTorch: **[CVE-2025-10155 — File extension bypass](https://jfrog.com/blog/unveiling-3-zero-day-vulnerabilities-in-picklescan/):** Renaming a `.pkl` file to `.bin` or `.pt` causes PickleScan to attempt PyTorch-specific parsing, fail, and skip detection. PyTorch loads from file content, not extension, and executes the payload. **[CVE-2025-10156 — ZIP CRC bypass](https://jfrog.com/blog/unveiling-3-zero-day-vulnerabilities-in-picklescan/):** Inserting CRC errors into a ZIP archive crashes PickleScan before it flags the payload. PyTorch's ZIP loader ignores CRC errors and processes the archive normally. **[CVE-2025-10157 — Unsafe globals subclass bypass](https://jfrog.com/blog/unveiling-3-zero-day-vulnerabilities-in-picklescan/):** Using a subclass of a blacklisted import (e.g., a subclass of `__builtin__.exec`) causes PickleScan to classify the file as "Suspicious" rather than "Dangerous." The file proceeds to load and execute. Independent academic research ([arXiv:2508.19774](https://arxiv.org/abs/2508.19774)) confirms the category-level problem: across a study of 22 pickle-based model loading paths, 19 bypass all existing scanners completely. Of 133 exploitable gadgets examined, [89% remain undetected](https://arxiv.org/abs/2508.19774) by the best-performing scanner. The bypasses do not require retraining and do not modify the model's output distribution — the payload lives in the serialization layer only. HuggingFace's own Pickle Import Scanner is subject to the same logic. Their [security documentation](https://huggingface.co/docs/hub/security-pickle) explicitly states the scanner is "not 100% foolproof." The three CVE techniques also work against it. **The SFConvertbot compromise chain extends the risk to models you did not directly download.** HuggingFace's official safetensors converter bot calls `torch.load()` on user-supplied PyTorch models. A pickle payload can use `setattr()` to overwrite `check_file_size`, exfiltrate the bot's auth token from environment variables, and use the stolen token to submit PRs impersonating the official SFConvertbot — delivering compromised models to downstream repositories without warnings. ([HiddenLayer "Silent Sabotage" research](https://www.hiddenlayer.com/research/silent-sabotage).) **Namespace reuse extends the attack surface to "trusted" organizations.** When a HuggingFace user deletes or abandons their account, the username namespace is freed for re-registration. All model references pinned to `/` resolve silently to the attacker's artifacts. ([Unit 42 research](https://unit42.paloaltonetworks.com/model-namespace-reuse/).) **GGUF is not immune.** The quantization error space in GGUF format is large enough to encode malicious behaviors that pass float32 safety tests but activate after dequantization. Ollama's `/api/create` endpoint accepts attacker-supplied GGUF files where declared tensor offsets exceed file length, enabling heap memory reads. ## What this means for you Any team running PickleScan as a security gate before loading PyTorch models is operating with a false sense of safety. An attacker with knowledge of these three bypass techniques can craft a payload that passes the scanner and executes on load. This is not a theoretical risk: all three CVEs have published reproduction steps. Teams relying on the HuggingFace Pickle Import Scanner for upload-time protection face the same exposure — the scanner architecture is similar, and HuggingFace's own docs acknowledge it is not a complete control. The SFConvertbot compromise extends the blast radius beyond direct downloads: a malicious upload can compromise the converter's auth token and inject poisoned safetensors files into repositories that never downloaded a pickle file. Trust in a model that passed through the official converter does not exclude this vector. Namespace reuse and the GGUF attack surface mean that even organizations with controlled model sourcing policies face risk if any upstream account becomes abandoned or if GGUF conversion and safety testing are not done on the final deployment artifact. ## What to do 1. **Treat PickleScan as triage, not a gate.** Do not make load decisions based solely on a PickleScan pass. The three CVEs make the scanner bypassable by a motivated attacker. Use it as a coarse filter, not a guarantee. 2. **Migrate to safetensors.** Safetensors serializes tensors only — no Python code can be embedded or executed during deserialization. The attack surface is eliminated structurally. Load speed is [approximately 3x faster than pickle](https://huggingface.co/docs/safetensors/index) and RAM usage is halved for large models via zero-copy memory mapping. 3. **Pin by commit hash, not by name.** Model name pinning is not equivalent to artifact pinning. A model at `username/model-name` today may resolve to a different artifact tomorrow if the namespace is reassigned. Pin the git commit hash of the model repo (for HuggingFace's git-backed repos) and verify the hash before loading. 4. **Convert offline, not via hosted converter.** Do not use the HuggingFace-hosted safetensors converter for untrusted models. The SFConvertbot compromise chain is active — run conversion in an isolated environment with a pinned conversion toolchain version. 5. **Run safety tests on GGUF, not just source.** If you deploy quantized models via Ollama or llama.cpp, run safety and backdoor detection on the final GGUF artifact, not only on the float32 source model. The GGUF quantization error space can encode malicious behaviors that pass float32 tests. 6. **Restrict `/api/create` in Ollama.** If running Ollama in production or multi-tenant contexts, limit `/api/create` access to trusted clients. The out-of-bounds read vulnerability in GGUF parsing is a remote heap read without requiring code execution. **Falsification criterion:** This finding would be disproved by confirmed patches for all three PickleScan CVEs (CVE-2025-10155, 10156, 10157) that close the described bypass techniques, combined with a replication of the arXiv:2508.19774 study methodology that produces a significantly lower bypass rate under the patched scanner — demonstrating that static scanning has become a reliable production control. ## Evidence | Tool | Version | Evidence | Result | |------|---------|----------|--------| | [PickleScan (mmaitre314)](https://github.com/mmaitre314/picklescan) | CVEs 2025 | source-reviewed | Three CVSS 9.3 bypasses: .bin/.pt extension skip, ZIP CRC crash, subclass-of-blacklist; all confirmed with reproduction steps by JFrog | | [HuggingFace security docs](https://huggingface.co/docs/hub/security-pickle) | Reviewed 2026-05-17 | docs-reviewed | Scanner explicitly documented as "not 100% foolproof"; same CVE bypass logic applies to HuggingFace's own scanner | | [HuggingFace SFConvertbot](https://www.hiddenlayer.com/research/silent-sabotage) | Reviewed 2026-05-16 | source-reviewed | Calls torch.load() on uploads; pickle payload → auth token exfiltration → impersonated PRs delivering compromised models | | [Unit 42 namespace reuse research](https://unit42.paloaltonetworks.com/model-namespace-reuse/) | Published 2025 | independently-confirmed | Abandoned HuggingFace usernames re-registerable; all model refs to that namespace silently resolve to attacker artifacts | | [Ollama (ollama)](https://thehackernews.com/2026/05/ollama-out-of-bounds-read-vulnerability.html) | Reported May 2026 | source-reviewed | /api/create heap OOB read via malformed GGUF tensor offsets; remote memory leak without code execution | | [All pickle scanners (arXiv:2508.19774)](https://arxiv.org/abs/2508.19774) | Published 2025 | independently-confirmed | 19/22 loading paths bypass all scanners; 89% of 133 gadgets undetected; JFrog CVE research independently confirms multiple bypass classes | | [JFrog CVE research](https://jfrog.com/blog/unveiling-3-zero-day-vulnerabilities-in-picklescan/) | Published 2025 | independently-confirmed | Three zero-days disclosed; JFrog + arXiv:2508.19774 independently confirm PickleScan static analysis is bypassable via multiple techniques | **Confidence:** empirical — 5 environments reviewed; JFrog CVE research and arXiv:2508.19774 independently confirm PickleScan bypassability via different methodologies. **Strongest case against:** PickleScan patch status for CVE-2025-10155/10156/10157 is unconfirmed as of 2026-05-16. If all three CVEs have been patched in a recent release, the scanner may be more reliable than described here. Additionally, the [89% bypass rate](https://arxiv.org/abs/2508.19774) is from academic gadget taxonomy research — practical attacker exploitation of specific bypass techniques in real deployments is not independently confirmed. Teams who only download models from known-trusted, closely monitored organizations may face substantially lower practical risk than the theoretical exposure described. **Open questions:** Confirmed patch status of all three PickleScan CVEs. Whether Microsoft's open-weights backdoor scanner works on GGUF artifacts (untested as of 2026-05-16). Timeline for Sigstore integration in major public registries. Whether any enterprise model registry with integrated provenance, scanning, and RBAC has shipped since 2026-05-17. Seen different? [Contribute your evidence](https://theorydelta.com/contribute/) — theory delta is what makes this knowledge base work.