This vulnerability allows a Remote Command Execution (RCE) in PyTorch when loading a model with the parameter weights_only=True. The issue affects versions 2.5.1 and prior of PyTorch, a widely used Python package for tensor computation and deep learning. The CVSS score for this vulnerability is 9.3, indicating a critical severity level. Organizations utilizing these versions face significant risks, including unauthorized command execution. Given the critical nature of the vulnerability and the potential for exploitation, organizations should prioritize patching immediately.
The RCE vulnerability can be exploited over the network with low complexity, requiring no user interaction or special privileges. It has a high impact on confidentiality, integrity, and availability, making it crucial for organizations to assess their exposure and take appropriate actions. The vulnerability was published on April 18, 2025, and has been patched in version 2.6.0 of PyTorch.
Currently, there exists a known exploit for this vulnerability, and it is critical for organizations to take action to protect their environments. Failing to address this vulnerability could lead to severe consequences, including data breaches and system compromise. Organizations using the affected versions are advised to upgrade to version 2.6.0 or later as soon as possible.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)