An Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 picklescan allows a remote attacker to bypass security scans. This is achieved by crafting a ZIP archive containing a file with a bad Cyclic Redundancy Check (CRC), which causes the scanner to halt and fail to analyze the contents for malicious pickle files. When the file incorrectly considered safe is loaded, it can lead to the execution of malicious code.
( , 0.0.31)
The vulnerability stems from how PickleScan handles ZIP archives. It uses Python's standard zipfile module, which raises an exception when it encounters a file with a CRC mismatch. PickleScan does not handle this exception gracefully; it halts the scan instead of attempting to process other valid files within the archive. This behavior creates a security blind spot, as PyTorch may be configured to ignore CRC errors and load a model from the same corrupted archive, inadvertently executing a malicious pickle payload that PickleScan failed to detect.
The following steps demonstrate the vulnerability using a public model with a known CRC error.
# 1. Download a Pytorch model known to have a bad CRC.
wget https://huggingface.co/jinaai/jina-embeddings-v2-base-en/resolve/main/pytorch_model.bin?download=true -O pytorch_model.bin
# 2. Attempt to scan the corrupted ZIP file with PickleScan.
picklescan -p pytorch_model.bin
# Observed Result: PickleScan returns an error about a bad ZIP file and does not scan any content within the archive.
# Expected Result: PickleScan should warn about the CRC error but still attempt to scan accessible files within the archive for threats.
No mitigations are supplied for this issue