This work systematically uncovers the attack surface for supply-chain poisoning of machine learning models via Pickle deserialization. Existing scanners exhibit weak detection capabilities and are easily bypassed due to insufficient understanding of exploitable deserialization surfaces. To address this, we propose Exception-Oriented Programming (EOP), a novel technique integrating dynamic execution analysis with static code tracing. Applied across five major AI frameworks, EOP identifies 22 Pickle loading paths and 133 exploitable deserialization gadgets—discovering, for the first time, 19 previously undocumented loading paths and 9 concrete EOP instances. Experimental evaluation demonstrates that our approach achieves near-100% evasion against all state-of-the-art scanners, including the most advanced tool, which remains vulnerable to 89% of our exploits. All reported vulnerabilities were confirmed by vendors, resulting in a $6,000 bug bounty reward.

Pickle deserialization vulnerabilities have persisted throughout Python's history, remaining widely recognized yet unresolved. Due to its ability to transparently save and restore complex objects into byte streams, many AI/ML frameworks continue to adopt pickle as the model serialization protocol despite its inherent risks. As the open-source model ecosystem grows, model-sharing platforms such as Hugging Face have attracted massive participation, significantly amplifying the real-world risks of pickle exploitation and opening new avenues for model supply chain poisoning. Although several state-of-the-art scanners have been developed to detect poisoned models, their incomplete understanding of the poisoning surface leaves the detection logic fragile and allows attackers to bypass them. In this work, we present the first systematic disclosure of the pickle-based model poisoning surface from both model loading and risky function perspectives. Our research demonstrates how pickle-based model poisoning can remain stealthy and highlights critical gaps in current scanning solutions. On the model loading surface, we identify 22 distinct pickle-based model loading paths across five foundational AI/ML frameworks, 19 of which are entirely missed by existing scanners. We further develop a bypass technique named Exception-Oriented Programming (EOP) and discover 9 EOP instances, 7 of which can bypass all scanners. On the risky function surface, we discover 133 exploitable gadgets, achieving almost a 100% bypass rate. Even against the best-performing scanner, these gadgets maintain an 89% bypass rate. By systematically revealing the pickle-based model poisoning surface, we achieve practical and robust bypasses against real-world scanners. We responsibly disclose our findings to corresponding vendors, receiving acknowledgments and a $6000 bug bounty.