CVE-2025-32434
published 2025-04-18CVE-2025-32434: PyTorch is a Python package that provides tensor computation with strong GPU acceleration and deep neural networks built on a tape-based autograd system. In…
PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.88%
76.8th percentile
PyTorch is a Python package that provides tensor computation with strong GPU acceleration and deep neural networks built on a tape-based autograd system. In version 2.5.1 and prior, a Remote Command Execution (RCE) vulnerability exists in PyTorch when loading a model using torch.load with weights_only=True. This issue has been patched in version 2.6.0.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | pytorch | < pytorch 1.7.1-7+deb11u1 (bullseye) | pytorch 1.7.1-7+deb11u1 (bullseye) |
| internlm | lmdeploy | >= 0 < 0.11.1 | 0.11.1 |
| linuxfoundation | pytorch | < 2.6.0 | 2.6.0 |
| linuxfoundation | pytorch | >= 0 < 1.7.1-7+deb11u1 | 1.7.1-7+deb11u1 |
| linuxfoundation | pytorch | >= 0 < 2.6.0+dfsg-1 | 2.6.0+dfsg-1 |
| linuxfoundation | pytorch | >= 0 < 2.6.0+dfsg-1 | 2.6.0+dfsg-1 |
| msrc | azl3_pytorch_2.2.2-6_on_azure_linux_3.0 | — | — |
| msrc | azl3_pytorch_2.2.2-7_on_azure_linux_3.0 | — | — |
| msrc | cbl2_pytorch_2.0.0-8_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_pytorch_2.0.0-9_on_cbl_mariner_2.0 | — | — |
| pytorch | pytorch | < 2.6.0 | 2.6.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Flag any use of torch.load() with weights_only=True being called against a legacy tar-format file — the load process silently falls back to unsafe deserialization, enabling RCE. ↗
- →Alert on loading of .pth checkpoint files with torch.load, especially in automated or remote model-loading pipelines, as malicious .pth files can trigger arbitrary code execution even with weights_only=True. ↗
- →Detect PyTorch versions 2.5.1 and prior as vulnerable; version 2.6.0 contains the patch that adds a check to prevent legacy tar files from being loaded unsafely. ↗
- ·The weights_only=True parameter in torch.load is intended as a safe loading mode, but does NOT prevent RCE when the input file is in legacy tar format — the safety check is bypassed entirely for such files. ↗
- ·The fix (commit 8d4b8a9) adds an explicit check to abort loading when a legacy tar-format file is detected under weights_only=True; upgrading to PyTorch 2.6.0 is required to obtain this protection. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv9.3CRITICAL
vendor_msrc9.8CRITICAL
vendor_debian9.3CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
lmdeploy vulnerable to Arbitrary Code Execution via Insecure Deserialization in torch.load()
osv·2025-12-26
CVE-2025-67729 [HIGH] lmdeploy vulnerable to Arbitrary Code Execution via Insecure Deserialization in torch.load()
lmdeploy vulnerable to Arbitrary Code Execution via Insecure Deserialization in torch.load()
## Summary
An insecure deserialization vulnerability exists in lmdeploy where `torch.load()` is called without the `weights_only=True` parameter when loading model checkpoint files. This allows an attacker to execute arbitrary code on the victim's machine when they load a malicious `.bin` or `.pt` model file.
**CWE:** CWE-502 - Deserialization of Untrusted Data
---
## Details
Several locations in lmdeploy use `torch.load()` without the recommended `weights_only=True` security parameter. PyTorch's `torch.load()` uses Python's pickle module internally, which can execute arbitrary code during deserialization.
### Vulnerable Locations
**1. `lmdeploy/vl/model/utils.py` (Line 22)**
```python
de
GHSA
lmdeploy vulnerable to Arbitrary Code Execution via Insecure Deserialization in torch.load()
ghsa·2025-12-26
CVE-2025-67729 [HIGH] CWE-502 lmdeploy vulnerable to Arbitrary Code Execution via Insecure Deserialization in torch.load()
lmdeploy vulnerable to Arbitrary Code Execution via Insecure Deserialization in torch.load()
## Summary
An insecure deserialization vulnerability exists in lmdeploy where `torch.load()` is called without the `weights_only=True` parameter when loading model checkpoint files. This allows an attacker to execute arbitrary code on the victim's machine when they load a malicious `.bin` or `.pt` model file.
**CWE:** CWE-502 - Deserialization of Untrusted Data
---
## Details
Several locations in lmdeploy use `torch.load()` without the recommended `weights_only=True` security parameter. PyTorch's `torch.load()` uses Python's pickle module internally, which can execute arbitrary code during deserialization.
### Vulnerable Locations
**1. `lmdeploy/vl/model/utils.py` (Line 22)**
```python
de
OSV
CVE-2025-32434: PyTorch is a Python package that provides tensor computation with strong GPU acceleration and deep neural networks built on a tape-based autograd syst
osv·2025-04-18·CVSS 9.3
CVE-2025-32434 [CRITICAL] CVE-2025-32434: PyTorch is a Python package that provides tensor computation with strong GPU acceleration and deep neural networks built on a tape-based autograd syst
PyTorch is a Python package that provides tensor computation with strong GPU acceleration and deep neural networks built on a tape-based autograd system. In version 2.5.1 and prior, a Remote Command Execution (RCE) vulnerability exists in PyTorch when loading a model using torch.load with weights_only=True. This issue has been patched in version 2.6.0.
GHSA
PyTorch: `torch.load` with `weights_only=True` leads to remote code execution
ghsa·2025-04-18
CVE-2025-32434 [CRITICAL] CWE-502 PyTorch: `torch.load` with `weights_only=True` leads to remote code execution
PyTorch: `torch.load` with `weights_only=True` leads to remote code execution
# Description
I found a Remote Command Execution (RCE) vulnerability in PyTorch. When loading model using torch.load with weights_only=True, it can still achieve RCE.
# Background knowledge
https://github.com/pytorch/pytorch/security
As you can see, the PyTorch official documentation considers using `torch.load()` with `weights_only=True` to be safe.
Since everyone knows that weights_only=False is unsafe, so they will use the weights_only=True to mitigate the seucirty issue.
But now, I just proved that even if you use weights_only=True, it can still achieve RCE.
# Credit
This vulnerability was found by Ji'an Zhou.
OSV
PyTorch: `torch.load` with `weights_only=True` leads to remote code execution
osv·2025-04-18
CVE-2025-32434 [CRITICAL] PyTorch: `torch.load` with `weights_only=True` leads to remote code execution
PyTorch: `torch.load` with `weights_only=True` leads to remote code execution
# Description
I found a Remote Command Execution (RCE) vulnerability in PyTorch. When loading model using torch.load with weights_only=True, it can still achieve RCE.
# Background knowledge
https://github.com/pytorch/pytorch/security
As you can see, the PyTorch official documentation considers using `torch.load()` with `weights_only=True` to be safe.
Since everyone knows that weights_only=False is unsafe, so they will use the weights_only=True to mitigate the seucirty issue.
But now, I just proved that even if you use weights_only=True, it can still achieve RCE.
# Credit
This vulnerability was found by Ji'an Zhou.
Microsoft
PyTorch: `torch.load` with `weights_only=True` leads to remote code execution
vendor_msrc·2025-04-08·CVSS 9.8
CVE-2025-32434 [CRITICAL] CWE-502 PyTorch: `torch.load` with `weights_only=True` leads to remote code execution
PyTorch: `torch.load` with `weights_only=True` leads to remote code execution
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releas
Debian
CVE-2025-32434: pytorch - PyTorch is a Python package that provides tensor computation with strong GPU acc...
vendor_debian·2025·CVSS 9.3
CVE-2025-32434 [CRITICAL] CVE-2025-32434: pytorch - PyTorch is a Python package that provides tensor computation with strong GPU acc...
PyTorch is a Python package that provides tensor computation with strong GPU acceleration and deep neural networks built on a tape-based autograd system. In version 2.5.1 and prior, a Remote Command Execution (RCE) vulnerability exists in PyTorch when loading a model using torch.load with weights_only=True. This issue has been patched in version 2.6.0.
Scope: local
bookworm: open
bullseye: resolved (fixed in 1.7.1-7+deb11u1)
forky: resolved (fixed in 2.6.0+dfsg-1)
sid: resolved (fixed in 2.6.0+dfsg-1)
trixie: resolved (fixed in 2.6.0+dfsg-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-24747 python-torch: PyTorch Vulnerable to Remote Code Execution via Untrusted Checkpoint Files [fedora-42]
bugzilla·2026-01-28·CVSS 9.3
CVE-2026-24747 [CRITICAL] CVE-2026-24747 python-torch: PyTorch Vulnerable to Remote Code Execution via Untrusted Checkpoint Files [fedora-42]
CVE-2026-24747 python-torch: PyTorch Vulnerable to Remote Code Execution via Untrusted Checkpoint Files [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This is sadly distinct from CVE-2025-32434. Moreover, any vulns in weights_only=True are real security issues for our users - it's supposed to be a safe function.
---
Unfortunately, both the commit and bug number provided in the NVD for this vuln seem unrelated.
Luckily, I was able to find the patch:
https://github.com/pytorch/pytorch/commit/0e2459f08fc5329979e6ad986014278f2a87618c
---
This message is a reminder that Fedora Linux 42 is
Bugzilla
CVE-2026-24747 pytorch: PyTorch: Arbitrary code execution via malicious checkpoint file loading
bugzilla·2026-01-27·CVSS 9.3
CVE-2026-24747 [CRITICAL] CVE-2026-24747 pytorch: PyTorch: Arbitrary code execution via malicious checkpoint file loading
CVE-2026-24747 pytorch: PyTorch: Arbitrary code execution via malicious checkpoint file loading
PyTorch is a Python package that provides tensor computation. Prior to version 2.10.0, a vulnerability in PyTorch's `weights_only` unpickler allows an attacker to craft a malicious checkpoint file (`.pth`) that, when loaded with `torch.load(..., weights_only=True)`, can corrupt memory and potentially lead to arbitrary code execution. Version 2.10.0 fixes the issue.
Discussion:
The CVE listing seems to have a patch attached, but I honestly can't tell if it fixes the CVE or not; it seems unrelated.
---
This is sadly distinct from CVE-2025-32434. Moreover, any vulns in weights_only=True are real security issues for our users - it's supposed to be a safe function.
---
This appears to hit F42
Bugzilla
CVE-2025-32434 python-torch: PyTorch: `torch.load` with `weights_only=True` leads to remote code execution [fedora-42]
bugzilla·2025-04-21·CVSS 9.3
CVE-2025-32434 [CRITICAL] CVE-2025-32434 python-torch: PyTorch: `torch.load` with `weights_only=True` leads to remote code execution [fedora-42]
CVE-2025-32434 python-torch: PyTorch: `torch.load` with `weights_only=True` leads to remote code execution [fedora-42]
More information about this security flaw is available in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2360999
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
The fixing commit is https://github.com/pytorch/pytorch/commit/8d4b8a920a2172523deb95bf20e8e52d50649c04
---
The issue is that even when using the safe configuration of weights_only=True in torch.load, if a file in the legacy tar format is provided, the load process continues unsafely since legacy tar files c
2025-04-18
Published