BIT-pytorch-2025-3730
Denial of Service vulnerability in torch (PyPI)
What is BIT-pytorch-2025-3730 About?
This problematic vulnerability in PyTorch's `ctc_loss` function leads to a denial of service. The flaw can be exploited locally, potentially making systems unavailable. While an exploit has been disclosed, specific details about its complexity are not provided.
Affected Software
Technical Details
The vulnerability resides in the torch.nn.functional.ctc_loss function within the aten/src/ATen/native/LossCTC.cpp file of PyTorch version 2.6.0. Manipulation of this function, under unspecified conditions, triggers a denial of service condition. The exact mechanism of manipulation that causes the denial of service is not specified but is noted as being exploitable locally. The attack vector involves direct interaction with the affected component, likely through crafted input or invocation that leads to an unhandled exception or resource exhaustion.
What is the Impact of BIT-pytorch-2025-3730?
Successful exploitation may allow attackers to disrupt the normal operation of the system, causing it to become unresponsive or crash, thereby denying legitimate users access to services.
What is the Exploitability of BIT-pytorch-2025-3730?
Exploitation of this vulnerability requires local access to the system running the vulnerable PyTorch instance. It does not require authentication, but the attacker must have the ability to execute code or manipulate inputs directly related to the ctc_loss function. The complexity is not explicitly stated but often local denial-of-service vulnerabilities can be straightforward to trigger once the specific manipulation is identified. The public disclosure of an exploit indicates that the technical details required to replicate the attack are available, increasing the likelihood of successful exploitation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-pytorch-2025-3730?
Available Upgrade Options
- torch
- <2.8.0 → Upgrade to 2.8.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/pytorch/pytorch/issues/150835
- https://github.com/pytorch/pytorch/issues/150835
- https://github.com/pytorch/pytorch
- https://github.com/timocafe/tewart-pytorch/commit/46fc5d8e360127361211cb237d5f9eef0223e567
- https://vuldb.com/?submit.553645
- https://vuldb.com/?submit.553645
- https://github.com/pytorch/pytorch/issues/150835#issue-2979082232
- https://osv.dev/vulnerability/GHSA-887c-mr87-cxwp
- https://github.com/pytorch/pytorch/pull/150981
- https://github.com/pytorch/pytorch/pull/150981
What are Similar Vulnerabilities to BIT-pytorch-2025-3730?
Similar Vulnerabilities: CVE-2023-49033 , CVE-2023-49635 , CVE-2023-50478 , CVE-2023-51821 , CVE-2024-22001
