Vulnerability
sysops

A critical vulnerability in PyTorch that allows attackers to execute malicious code remotely, even when using safeguards previously thought to mitigate such risks. 

The vulnerability, identified as CVE-2025-32434, affects all PyTorch versions up to and including 2.5.1 and was patched in the recently released version 2.6.0.

Overview of PyTorch Vulnerability

The security flaw, discovered by researcher Ji’an Zhou, involves PyTorch’s torch.load function when used with the weights_only=True parameter. 

This particular combination was previously documented and widely recommended as a safe approach for loading models from untrusted sources.

“I found a Remote Command Execution (RCE) vulnerability in PyTorch. When loading a model using torch.load with weights_only=True, it can still achieve RCE,” stated Zhou in the official vulnerability report.

The vulnerability contradicts PyTorch’s prior security guidance, which explicitly stated on their official documentation: “uses Python’s unpickling facilities but treats storages, which underlie tensors, specially,” and recommended using weights_only=True as a security measure.

A typical vulnerable code snippet might look like:

Risk FactorsDetailsAffected ProductsPyTorch (versions ≤2.5.1), specifically when using torch.load with weights_only=TrueImpactRemote Code Execution (RCE) via deserialization of untrusted dataExploit PrerequisitesAttacker must supply a malicious model file that is loaded by torch.load(weights_only=True); no user interaction.CVSS 3.1 Score9.3 (Critical)

This discovery is particularly concerning because many organizations and developers had implemented the weights_only=True parameter specifically as a security precaution. 

The PyTorch documentation has been warning users about the dangers of using torch.load without this parameter since version 2.4.

“By default, torch.load uses weights_only=False which uses the pickle module provided by Python. This is inherently unsafe as the pickle module can import and execute arbitrary code,” states PyTorch’s official documentation.

The vulnerability allows attackers to craft malicious model files that, when loaded, can execute arbitrary code on the victim’s system, potentially leading to complete system compromise. 

This is especially dangerous for machine learning pipelines that automatically download and load models from external sources or collaborative environments.

Mitigation Steps

Users are strongly advised to update to PyTorch version 2.6.0 or later immediately. If immediate updating is not possible, avoid using the torch.load function with weights_only=True as a temporary measure to reduce risk.

Alternative mitigations include:

Using safer alternatives like safetensors.torch.load_model.

Implementing additional validation before loading any model.

Only loading models from trusted, verified sources.

The PyTorch team had been planning to make weights_only=True the default setting in version 2.6.0 even before this vulnerability was discovered, as part of ongoing security improvements.

The incident serves as a reminder that even security features can have unexpected vulnerabilities, and maintaining up-to-date dependencies remains critical for organizations working with machine learning models, especially those in production environments or processing sensitive data.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy

Related Posts

Mozilla has released Firefox 129, addressing multiple high-severity vulnerabilities. These patches are critical for enhancing the browser’s security and protecting…

A critical vulnerability has been identified in SolarWinds Web Help Desk, potentially allowing attackers to execute remote code on affected…

A critical zero-click remote code execution (RCE) vulnerability has been discovered in Microsoft Outlook. This vulnerability, designated as CVE-2024-30103, enables…