CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32434 – PyTorch: `torch.load` with `weights_only=True` leads to remote code execution
https://notcve.org/view.php?id=CVE-2025-32434
18 Apr 2025 — PyTorch is a Python package that provides tensor computation with strong GPU acceleration and deep neural networks built on a tape-based autograd system. In version 2.5.1 and prior, a Remote Command Execution (RCE) vulnerability exists in PyTorch when loading a model using torch.load with weights_only=True. This issue has been patched in version 2.6.0. • https://github.com/pytorch/pytorch/security/advisories/GHSA-53q9-r3pm-6pq6 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 1CVE-2024-48063
https://notcve.org/view.php?id=CVE-2024-48063
29 Oct 2024 — In PyTorch <=2.4.1, the RemoteModule has Deserialization RCE. En PyTorch <=2.4.1, RemoteModule tiene RCE de deserialización. In PyTorch <=2.4.1, the RemoteModule has Deserialization RCE. NOTE: this is disputed by multiple parties because this is intended behavior in PyTorch distributed computing. • https://github.com/zgimszhd61/CVE-2024-48063-poc • CWE-502: Deserialization of Untrusted Data •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-31580
https://notcve.org/view.php?id=CVE-2024-31580
17 Apr 2024 — PyTorch before v2.2.0 was discovered to contain a heap buffer overflow vulnerability in the component /runtime/vararg_functions.cpp. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. Se descubrió que PyTorch anterior a v2.2.0 contenía una vulnerabilidad de desbordamiento de búfer de almacenamiento dinámico en el componente /runtime/vararg_functions.cpp. Esta vulnerabilidad permite a los atacantes provocar una denegación de servicio (DoS) mediante una entrada manipul... • https://gist.github.com/1047524396/038c78f2f007345e6f497698ace2aa3d • CWE-122: Heap-based Buffer Overflow •