LLM03:2025Supply Chain
Slide 12 of 29
Part 2 · TypesSlide 12
Slide 12 · Attack Type 4 of 6 — Scanner Bypass
“We scan our models.” What if the scanner can be tricked?
Confirmed Vulnerability · 2025 · JFrog Security Research
PickleScan Bypass — Malicious Models Pass as “Safe”
CVE-2025-10155 · CVSS 9.3 (Critical) · Affects picklescan ≤ 0.0.30 · Fixed in 0.0.31

The context: PickleScan is the open-source scanner that Hugging Face and others use to flag dangerous pickle files. It's the safety net under the whole “we scan models” assurance.

The flaw: the scanner picks its analysis based on file extension first. Give a plain malicious pickle a PyTorch-style extension (like .bin), and the PyTorch-specific parser fails — then the scanner returns an error without falling back to standard pickle analysis. The malicious file is never inspected and is reported clean.

Why it's critical: the dangerous payload still executes on load. The defense that was supposed to catch it waves it through.

Takeaway: a security tool is itself a supply-chain component. A bug in your scanner can be worse than no scanner — because it hands you false confidence.
The Defense This Would Have Stopped

Defense in depth: don't rely on a single scanner. Keep scanners patched (this was fixed in 0.0.31), prefer non-executable formats, and layer signing + provenance so a single bypass isn't game over.

← BackNext → The tiny file that re-shapes a model
📄 View sources for this lesson