cbcvebase.
CVE-2025-32434
published 2025-04-18

CVE-2025-32434: PyTorch is a Python package that provides tensor computation with strong GPU acceleration and deep neural networks built on a tape-based autograd system. In…

PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.88%
76.8th percentile
PyTorch is a Python package that provides tensor computation with strong GPU acceleration and deep neural networks built on a tape-based autograd system. In version 2.5.1 and prior, a Remote Command Execution (RCE) vulnerability exists in PyTorch when loading a model using torch.load with weights_only=True. This issue has been patched in version 2.6.0.

Affected

11 ranges
VendorProductVersion rangeFixed in
debianpytorch< pytorch 1.7.1-7+deb11u1 (bullseye)pytorch 1.7.1-7+deb11u1 (bullseye)
internlmlmdeploy>= 0 < 0.11.10.11.1
linuxfoundationpytorch< 2.6.02.6.0
linuxfoundationpytorch>= 0 < 1.7.1-7+deb11u11.7.1-7+deb11u1
linuxfoundationpytorch>= 0 < 2.6.0+dfsg-12.6.0+dfsg-1
linuxfoundationpytorch>= 0 < 2.6.0+dfsg-12.6.0+dfsg-1
msrcazl3_pytorch_2.2.2-6_on_azure_linux_3.0
msrcazl3_pytorch_2.2.2-7_on_azure_linux_3.0
msrccbl2_pytorch_2.0.0-8_on_cbl_mariner_2.0
msrccbl2_pytorch_2.0.0-9_on_cbl_mariner_2.0
pytorchpytorch< 2.6.02.6.0

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/pytorch/pytorch/commit/8d4b8a920a2172523deb95bf20e8e52d50649c04
  • Flag any use of torch.load() with weights_only=True being called against a legacy tar-format file — the load process silently falls back to unsafe deserialization, enabling RCE.
  • Alert on loading of .pth checkpoint files with torch.load, especially in automated or remote model-loading pipelines, as malicious .pth files can trigger arbitrary code execution even with weights_only=True.
  • Detect PyTorch versions 2.5.1 and prior as vulnerable; version 2.6.0 contains the patch that adds a check to prevent legacy tar files from being loaded unsafely.
  • ·The weights_only=True parameter in torch.load is intended as a safe loading mode, but does NOT prevent RCE when the input file is in legacy tar format — the safety check is bypassed entirely for such files.
  • ·The fix (commit 8d4b8a9) adds an explicit check to abort loading when a legacy tar-format file is detected under weights_only=True; upgrading to PyTorch 2.6.0 is required to obtain this protection.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv9.3CRITICAL
vendor_msrc9.8CRITICAL
vendor_debian9.3CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.