CVE-2025-32434 — Deserialization of Untrusted Data in Pytorch

CWE-502 — Deserialization of Untrusted Data8 documents5 sources

Severity

9.3CRITICALNVD

EPSS

1.2%

top 20.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pytorch Linuxfoundation Pytorch Internlm Lmdeploy +5 more

Timeline

PublishedApr 18

Latest updateDec 26

Description

PyTorch is a Python package that provides tensor computation with strong GPU acceleration and deep neural networks built on a tape-based autograd system. In version 2.5.1 and prior, a Remote Command Execution (RCE) vulnerability exists in PyTorch when loading a model using torch.load with weights_only=True. This issue has been patched in version 2.6.0.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages9 packages

▶debiandebian/pytorch< pytorch 1.7.1-7+deb11u1 (bullseye)

▶CVEListV5pytorch/pytorch< 2.6.0

▶NVDlinuxfoundation/pytorch< 2.6.0

▶Debianlinuxfoundation/pytorch< 1.7.1-7+deb11u1+2

▶msrcmsrc/azl3_pytorch_2.2.2-6_on_azure_linux_3.0

🔴Vulnerability Details

OSV

lmdeploy vulnerable to Arbitrary Code Execution via Insecure Deserialization in torch.load()↗2025-12-26

▶

GHSA

lmdeploy vulnerable to Arbitrary Code Execution via Insecure Deserialization in torch.load()↗2025-12-26

▶

OSV

CVE-2025-32434: PyTorch is a Python package that provides tensor computation with strong GPU acceleration and deep neural networks built on a tape-based autograd syst↗2025-04-18

▶

GHSA

PyTorch: `torch.load` with `weights_only=True` leads to remote code execution↗2025-04-18

▶

OSV

PyTorch: `torch.load` with `weights_only=True` leads to remote code execution↗2025-04-18

▶

📋Vendor Advisories

Microsoft

PyTorch: `torch.load` with `weights_only=True` leads to remote code execution↗2025-04-08

▶

Debian

CVE-2025-32434: pytorch - PyTorch is a Python package that provides tensor computation with strong GPU acc...↗2025

▶