CVE-2025-3000 — Improper Restriction of Operations within the Bounds of a Memory Buffer in Pytorch

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-79 — Cross-site Scripting CWE-733 — Compiler Optimization Removal or Modification of Security-critical Code CWE-78 — OS Command Injection CWE-476 — NULL Pointer Dereference CWE-749 — Exposed Dangerous Method or Function CWE-200 — Sensitive Information Exposure CWE-1220 — Insufficient Granularity of Access Control CWE-601 — Open Redirect24 documents10 sources

Severity

4.8MEDIUMNVD

GHSA8.8

EPSS

0.1%

top 73.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Gogs Gogs Gogs.io Gogs Better-auth +5 more

Timeline

PublishedMar 31

Latest updateMar 10

Description

A vulnerability classified as critical has been found in PyTorch 2.6.0. This affects the function torch.jit.script. The manipulation leads to memory corruption. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used.

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Affected Packages8 packages

▶NVDlinuxfoundation/pytorch2.6.0

▶debiandebian/pytorch

▶Gogogs.io/gogs< 0.13.3-0.20250608224432-110117b2e5e5

▶npmnuxt/rspack-builder3.12.2 — 3.15.3

▶Gogithub.com/gogs_gogs< 0.13.3-0.20250608224432-110117b2e5e5

🔴Vulnerability Details

GHSA

Better Auth Open Redirect Vulnerability in originCheck Middleware Affects Multiple Routes↗2025-07-07

▶

GHSA

Gogs XSS allowed by stored call in PDF renderer↗2025-06-26

▶

GHSA

GHSA-rrmf-rvhw-rf47: A vulnerability classified as critical has been found in PyTorch 2↗2025-03-31

▶

OSV

CVE-2025-3000: A vulnerability classified as critical has been found in PyTorch 2↗2025-03-31

▶

GHSA

Opening a malicious website while running a Nuxt dev server could allow read-only access to code↗2025-01-27

▶

💥Exploits & PoCs

Exploit-DB

Lantronix Provisioning Manager 7.10.3 - XML External Entity Injection (XXE)↗2025-08-18

▶

Exploit-DB

gogs 0.13.0 - Remote Code Execution (RCE)↗2025-07-02

▶

📋Vendor Advisories

Chrome

Stable Channel Update for Desktop: CVE-2026-3925↗2026-03-10

▶

Cisco

Cisco Nexus 3000 and 9000 Series Switches Intermediate System-to-Intermediate System Denial of Service Vulnerability↗2025-08-27

▶

Cisco

Cisco Nexus 3000 and 9000 Series Switches Protocol Independent Multicast Version 6 Denial of Service Vulnerability↗2025-08-27

▶

Cisco

Cisco NX-OS Software Sensitive Log Information Disclosure Vulnerability↗2025-08-27

▶

Chrome

Stable Channel Update for ChromeOS / ChromeOS Flex: CVE-2025-1923↗2025-03-18

▶