AI description
CVE-2025-32434 is a Remote Command Execution (RCE) vulnerability affecting PyTorch versions 2.5.1 and earlier. It exists in the `torch.load()` function when loading a model with the `weights_only=True` parameter. This parameter was previously believed to provide security, but researchers have demonstrated that attackers can still achieve RCE even when it is enabled. The vulnerability stems from the deserialization of untrusted data. By crafting a malicious model file, an attacker can exploit this flaw to execute arbitrary commands on the target machine. A patch is available in PyTorch version 2.6.0, and users of affected versions are advised to update immediately.
- Description
- PyTorch is a Python package that provides tensor computation with strong GPU acceleration and deep neural networks built on a tape-based autograd system. In version 2.5.1 and prior, a Remote Command Execution (RCE) vulnerability exists in PyTorch when loading a model using torch.load with weights_only=True. This issue has been patched in version 2.6.0.
- Source
- security-advisories@github.com
- NVD status
- Awaiting Analysis
CVSS 4.0
- Type
- Secondary
- Base score
- 9.3
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- CRITICAL
- security-advisories@github.com
- CWE-502
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
20
pytorch (torch) に脆弱性、CVSS 9.3 で重大度高い torch >= 2.6.0 で解消 CVE-2025-32434 https://t.co/ve7G44hZeS https://t.co/AD6ASuY8oP
@fresta_gg
21 Apr 2025
30 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
A critical vulnerability (CVE-2025-32434) in PyTorch allows remote code execution even with protections in place. Users should upgrade to 2.6.0 and audit AI models for safety. ⚠️ #PyTorch #AIModels #USA link: https://t.co/ukQSjsbUQ0 https://t.co/gXo1K4yNsS
@TweetThreatNews
21 Apr 2025
45 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
A critical RCE vulnerability (CVE-2025-32434) has been found in PyTorch ≤2.5.1, affecting the torch.load() function. Users should update to version 2.6.0 immediately. ⚠️ #PyTorchUpdate #RemoteCode #USA link: https://t.co/t2VcewJQbW https://t.co/XdRbtVphAL
@TweetThreatNews
21 Apr 2025
29 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
PyTorchに重大(Critical)な脆弱性。CVE-2025-32434はCVSSスコア9.3の遠隔コード実行。torch.load()でweights_only=Trueの場合に細工されたモデルファイルを扱うと発現。バージョン2.6.0で修正。 https://t.co/62GqSLH4Ou
@__kokumoto
21 Apr 2025
5679 Impressions
22 Retweets
59 Likes
24 Bookmarks
0 Replies
0 Quotes
Critical PyTorch Vulnerability CVE-2025-32434 Allows Remote Code Execution https://t.co/T7JmseLUkj
@Dinosn
21 Apr 2025
2300 Impressions
3 Retweets
15 Likes
4 Bookmarks
0 Replies
1 Quote
🚨 CVE-2025-32434 ⚠️🔴 CRITICAL (9.3) 🏢 pytorch - pytorch 🏗️ < 2.6.0 🔗 https://t.co/3CXH8n7NHn #CyberCron #VulnAlert #InfoSec https://t.co/mlq7tLQyL3
@cybercronai
19 Apr 2025
17 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-32434 Remote Command Execution in PyTorch Before 2.6.0 via Torch Load Mechanism https://t.co/wJsyOveSwF
@VulmonFeeds
19 Apr 2025
1 Impression
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes