BIT-pytorch-2025-32434
Remote Command Execution (RCE) vulnerability in torch (PyPI)
What is BIT-pytorch-2025-32434 About?
This vulnerability in PyTorch allows for Remote Command Execution (RCE) when loading a model using `torch.load` with the `weights_only=True` parameter in versions 2.5.1 and prior. An attacker can craft a malicious model file that, when loaded, executes arbitrary commands on the system. The exploitation is trivial, as it only requires loading a specially crafted model.
Affected Software
Technical Details
The vulnerability exists in PyTorch versions 2.5.1 and prior within the torch.load function, specifically when the weights_only=True argument is used. This argument is intended to load only the model's weights, preventing the execution of arbitrary Python code embedded in the pickled model file. However, a flaw in the implementation allows for a bypass of this safety mechanism. An attacker can craft a malicious model file (typically a .pt or .pth file, which are essentially Python pickles) that contains specially formatted data. When torch.load attempts to deserialize this data, even with weights_only=True, it mistakenly executes embedded code, leading to arbitrary command execution on the system where the model is loaded.
What is the Impact of BIT-pytorch-2025-32434?
Successful exploitation may allow attackers to execute arbitrary commands on the compromised system, leading to complete system compromise, data theft, or denial of service.
What is the Exploitability of BIT-pytorch-2025-32434?
Exploitation of this RCE vulnerability is straightforward and requires minimal technical complexity. An attacker needs to provide a specially crafted PyTorch model file to a target application that uses torch.load with weights_only=True. No prior authentication is directly required if the attacker can induce the application to load a malicious model (e.g., through a file upload feature or by placing it in an accessible location). The attack is remote if the application loads models from untrusted remote sources. The primary prerequisite is the use of a vulnerable PyTorch version (2.5.1 or prior). The risk factor is very high as it leads to full system compromise upon successful model loading.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| Camier | Link | Modern Real-Time Voice Cloning - Modernized SV2TTS with PyTorch 2.x, enhanced security (CVE-2025-32434 mitigated), comprehensive testing |
What are the Available Fixes for BIT-pytorch-2025-32434?
Available Upgrade Options
- torch
- <2.6.0 → Upgrade to 2.6.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/pytorch/pytorch/commit/8d4b8a920a2172523deb95bf20e8e52d50649c04
- https://github.com/pytorch/pytorch
- https://github.com/pypa/advisory-database/tree/main/vulns/torch/PYSEC-2025-41.yaml
- https://osv.dev/vulnerability/PYSEC-2025-41
- https://nvd.nist.gov/vuln/detail/CVE-2025-32434
- https://osv.dev/vulnerability/GHSA-53q9-r3pm-6pq6
- https://github.com/pytorch/pytorch/security/advisories/GHSA-53q9-r3pm-6pq6
- https://github.com/pytorch/pytorch/security/advisories/GHSA-53q9-r3pm-6pq6
- https://github.com/pytorch/pytorch/security/advisories/GHSA-53q9-r3pm-6pq6
What are Similar Vulnerabilities to BIT-pytorch-2025-32434?
Similar Vulnerabilities: CVE-2023-49033 , CVE-2022-29217 , CVE-2021-41221 , CVE-2020-15522 , CVE-2019-10023
