CVE-2025-10156

CRITICAL

Mmaitre314 Picklescan < 0.0.31 - Improper Exception Handling

Title source: rule

Description

An Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 picklescan allows a remote attacker to bypass security scans. This is achieved by crafting a ZIP archive containing a file with a bad Cyclic Redundancy Check (CRC), which causes the scanner to halt and fail to analyze the contents for malicious pickle files. When the file incorrectly considered safe is loaded, it can lead to the execution of malicious code.

References (4)

[Product] https://github.com/mmaitre314/picklescan/blob/v0.0.29/src/picklescan/relaxed_zipfile.py#L35

View Writeup ZIP pw:eip

[Exploit, Vendor Advisory] https://github.com/mmaitre314/picklescan/security/advisories/GHSA-mjqp-26hc-grxg

[Not Applicable] https://huggingface.co/jinaai/jina-embeddings-v2-base-en/resolve/main/pytorch_model.bin?download=true

[Not Applicable] https://huggingface.co/jinaai/jina-embeddings-v2-base-en/tree/main

Scores

CVSS v3 9.8

EPSS 0.0041

EPSS Percentile 60.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-755

Status published

Affected Products (2)

mmaitre314/picklescan < 0.0.31

pypi/picklescan < 0.0.31PyPI

Timeline

Published Sep 17, 2025

Tracked Since Feb 18, 2026