AI Threat Alert
Published April 18, 2025
PyTorch is a Python package that provides tensor computation with strong GPU acceleration and deep neural networks built on a tape-based autograd system. In version 2.5.1 and prior, a Remote Command...
Full analysis pending. Showing NVD description excerpt.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| pytorch | pip | — | No patch |
| torch | pip | < 2.6.0 | 2.6.0 |
Severity & Risk
CVSS 3.1
9.8 / 10
EPSS
1.2%
chance of exploitation in 30 days
KEV Status
Not in KEV
Sophistication
N/A
Recommended Action
Patch available
Update torch to version 2.6.0
Compliance Impact
Compliance analysis pending. Sign in for full compliance mapping when available.
Technical Details
NVD Description
PyTorch is a Python package that provides tensor computation with strong GPU acceleration and deep neural networks built on a tape-based autograd system. In version 2.5.1 and prior, a Remote Command Execution (RCE) vulnerability exists in PyTorch when loading a model using torch.load with weights_only=True. This issue has been patched in version 2.6.0.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References
- lists.debian.org/debian-lts-announce/2025/12/msg00000.html
- github.com/advisories/GHSA-53q9-r3pm-6pq6
- github.com/pypa/advisory-database/tree/main/vulns/torch/PYSEC-2025-41.yaml
- github.com/pytorch/pytorch/commit/8d4b8a920a2172523deb95bf20e8e52d50649c04
- github.com/pytorch/pytorch/security/advisories/GHSA-53q9-r3pm-6pq6
- nvd.nist.gov/vuln/detail/CVE-2025-32434
- github.com/pytorch/pytorch/security/advisories/GHSA-53q9-r3pm-6pq6 Vendor
Timeline
Published
April 18, 2025
Last Modified
December 1, 2025
First Seen
April 18, 2025