CVE-2025-32434
Severity CVSS v4.0:
CRITICAL
Type:
CWE-502
Deserialization of Untrusted Dat
Publication date:
18/04/2025
Last modified:
28/05/2025
Description
PyTorch is a Python package that provides tensor computation with strong GPU acceleration and deep neural networks built on a tape-based autograd system. In version 2.5.1 and prior, a Remote Command Execution (RCE) vulnerability exists in PyTorch when loading a model using torch.load with weights_only=True. This issue has been patched in version 2.6.0.
Impact
Base Score 4.0
9.30
Severity 4.0
CRITICAL
Base Score 3.x
9.80
Severity 3.x
CRITICAL
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:a:linuxfoundation:pytorch:*:*:*:*:*:python:*:* | 2.6.0 (excluding) |
To consult the complete list of CPE names with products and versions, see this page