All the vulnerabilites related to pytorch - pytorch
cve-2025-2149
Vulnerability from cvelistv5
Published
2025-03-10 12:31
Modified
2025-03-10 14:08
Severity ?
2.0 (Low) - CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2.5 (Low) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
2.5 (Low) - CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
2.5 (Low) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
2.5 (Low) - CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
EPSS score ?
Summary
PyTorch Quantized Sigmoid Module nnq_Sigmoid initialization
References
| ▼ | URL | Tags |
|---|---|---|
| https://vuldb.com/?id.299060 | vdb-entry, technical-description | |
| https://vuldb.com/?ctiid.299060 | signature, permissions-required | |
| https://vuldb.com/?submit.506563 | third-party-advisory | |
| https://github.com/pytorch/pytorch/issues/147818 | issue-tracking | |
| https://github.com/pytorch/pytorch/issues/147818#issue-2877301660 | exploit, issue-tracking |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2149",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T14:08:09.193144Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T14:08:14.533Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/pytorch/pytorch/issues/147818#issue-2877301660"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/pytorch/pytorch/issues/147818"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Quantized Sigmoid Module"
],
"product": "PyTorch",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "2.6.0+cu124"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Default436352 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in PyTorch 2.6.0+cu124. It has been rated as problematic. Affected by this issue is the function nnq_Sigmoid of the component Quantized Sigmoid Module. The manipulation of the argument scale/zero_point leads to improper initialization. The attack needs to be approached locally. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used."
},
{
"lang": "de",
"value": "Eine problematische Schwachstelle wurde in PyTorch 2.6.0+cu124 ausgemacht. Davon betroffen ist die Funktion nnq_Sigmoid der Komponente Quantized Sigmoid Module. Durch die Manipulation des Arguments scale/zero_point mit unbekannten Daten kann eine improper initialization-Schwachstelle ausgenutzt werden. Der Angriff muss lokal passieren. Die Komplexit\u00e4t eines Angriffs ist eher hoch. Sie ist schwierig ausnutzbar. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 2,
"baseSeverity": "LOW",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 2.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 2.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 1,
"vectorString": "AV:L/AC:H/Au:S/C:N/I:P/A:N",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-665",
"description": "Improper Initialization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T12:31:04.788Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-299060 | PyTorch Quantized Sigmoid Module nnq_Sigmoid initialization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.299060"
},
{
"name": "VDB-299060 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.299060"
},
{
"name": "Submit #506563 | pytorch 2.6.0+cu124 Inconsistency Between Implementation and Documented Design",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.506563"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/pytorch/pytorch/issues/147818"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/pytorch/pytorch/issues/147818#issue-2877301660"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-03-10T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-03-10T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-03-10T07:19:09.000Z",
"value": "VulDB entry last update"
}
],
"title": "PyTorch Quantized Sigmoid Module nnq_Sigmoid initialization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-2149",
"datePublished": "2025-03-10T12:31:04.788Z",
"dateReserved": "2025-03-10T06:13:15.319Z",
"dateUpdated": "2025-03-10T14:08:14.533Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-32434
Vulnerability from cvelistv5
Published
2025-04-18 15:48
Modified
2025-04-18 16:06
Severity ?
EPSS score ?
Summary
PyTorch: `torch.load` with `weights_only=True` leads to remote code execution
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/pytorch/pytorch/security/advisories/GHSA-53q9-r3pm-6pq6 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32434",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-18T16:06:40.000632Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-18T16:06:51.966Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pytorch",
"vendor": "pytorch",
"versions": [
{
"status": "affected",
"version": "\u003c 2.6.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PyTorch is a Python package that provides tensor computation with strong GPU acceleration and deep neural networks built on a tape-based autograd system. In version 2.5.1 and prior, a Remote Command Execution (RCE) vulnerability exists in PyTorch when loading a model using torch.load with weights_only=True. This issue has been patched in version 2.6.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-18T15:48:18.851Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pytorch/pytorch/security/advisories/GHSA-53q9-r3pm-6pq6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pytorch/pytorch/security/advisories/GHSA-53q9-r3pm-6pq6"
}
],
"source": {
"advisory": "GHSA-53q9-r3pm-6pq6",
"discovery": "UNKNOWN"
},
"title": "PyTorch: `torch.load` with `weights_only=True` leads to remote code execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-32434",
"datePublished": "2025-04-18T15:48:18.851Z",
"dateReserved": "2025-04-08T10:54:58.368Z",
"dateUpdated": "2025-04-18T16:06:51.966Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-2148
Vulnerability from cvelistv5
Published
2025-03-10 12:00
Modified
2025-03-10 14:10
Severity ?
2.3 (Low) - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
5.0 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
5.0 (Medium) - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
5.0 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
5.0 (Medium) - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
EPSS score ?
Summary
PyTorch Tuple torch.ops.profiler._call_end_callbacks_on_jit_fut memory corruption
References
| ▼ | URL | Tags |
|---|---|---|
| https://vuldb.com/?id.299059 | vdb-entry, technical-description | |
| https://vuldb.com/?ctiid.299059 | signature, permissions-required | |
| https://vuldb.com/?submit.505959 | third-party-advisory | |
| https://github.com/pytorch/pytorch/issues/147722 | issue-tracking |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2148",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T14:10:27.409283Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T14:10:36.958Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/pytorch/pytorch/issues/147722"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Tuple Handler"
],
"product": "PyTorch",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "2.6.0+cu124"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Default436352 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in PyTorch 2.6.0+cu124. It has been declared as critical. Affected by this vulnerability is the function torch.ops.profiler._call_end_callbacks_on_jit_fut of the component Tuple Handler. The manipulation of the argument None leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult."
},
{
"lang": "de",
"value": "In PyTorch 2.6.0+cu124 wurde eine kritische Schwachstelle ausgemacht. Hierbei betrifft es die Funktion torch.ops.profiler._call_end_callbacks_on_jit_fut der Komponente Tuple Handler. Mit der Manipulation des Arguments None mit unbekannten Daten kann eine memory corruption-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Die Komplexit\u00e4t eines Angriffs ist eher hoch. Sie gilt als schwierig ausnutzbar."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 2.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.1,
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "Memory Corruption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T12:00:07.912Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-299059 | PyTorch Tuple torch.ops.profiler._call_end_callbacks_on_jit_fut memory corruption",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.299059"
},
{
"name": "VDB-299059 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.299059"
},
{
"name": "Submit #505959 | pytorch 2.6.0+cu124 Segmentation fault",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.505959"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/pytorch/pytorch/issues/147722"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-03-10T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-03-10T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-03-10T07:19:04.000Z",
"value": "VulDB entry last update"
}
],
"title": "PyTorch Tuple torch.ops.profiler._call_end_callbacks_on_jit_fut memory corruption"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-2148",
"datePublished": "2025-03-10T12:00:07.912Z",
"dateReserved": "2025-03-10T06:12:36.829Z",
"dateUpdated": "2025-03-10T14:10:36.958Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}