CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32434 – PyTorch: `torch.load` with `weights_only=True` leads to remote code execution
https://notcve.org/view.php?id=CVE-2025-32434
18 Apr 2025 — PyTorch is a Python package that provides tensor computation with strong GPU acceleration and deep neural networks built on a tape-based autograd system. In version 2.5.1 and prior, a Remote Command Execution (RCE) vulnerability exists in PyTorch when loading a model using torch.load with weights_only=True. This issue has been patched in version 2.6.0. • https://github.com/pytorch/pytorch/security/advisories/GHSA-53q9-r3pm-6pq6 • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-45907
https://notcve.org/view.php?id=CVE-2022-45907
26 Nov 2022 — In PyTorch before trunk/89695, torch.jit.annotations.parse_type_line can cause arbitrary code execution because eval is used unsafely. En PyTorch anterior a trunk/89695, torch.jit.annotations.parse_type_line puede causar la ejecución de código arbitrario porque eval se usa de manera insegura. • https://github.com/pytorch/pytorch/commit/767f6aa49fe20a2766b9843d01e3b7f7793df6a3 • CWE-94: Improper Control of Generation of Code ('Code Injection') •