{"id":53311,"date":"2025-04-21T14:26:50","date_gmt":"2025-04-21T18:26:50","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=53311"},"modified":"2025-04-22T06:41:00","modified_gmt":"2025-04-22T10:41:00","slug":"vulnerability-in-pytorch-framework","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/vulnerability-in-pytorch-framework\/53311\/","title":{"rendered":"Critical vulnerability in PyTorch framework"},"content":{"rendered":"<p>A researcher has <a href=\"https:\/\/securityonline.info\/critical-pytorch-vulnerability-cve-2025-32434-allows-remote-code-execution\/\" target=\"_blank\" rel=\"nofollow noopener\">discovered<\/a> a vulnerability in PyTorch \u2013 an open-source machine-learning framework. The vulnerability, registered as <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-32434\" target=\"_blank\" rel=\"nofollow noopener\">CVE-2025-32434<\/a>, belongs to the Remote Code Execution (RCE) class, and has a 9.3 CVSS rating, meaning it\u2019s categorized as critical. Exploitation of CVE-2025-32434 under certain conditions allows an attacker to run arbitrary code when a malicious AI model is being loaded on the victim\u2019s computer. Anyone using PyTorch is advised to update the framework to the latest version as soon as possible.<\/p>\n<h2>The CVE-2025-32434 vulnerability<\/h2>\n<p>Among other things, the PyTorch framework, allows users to save trained models to a file that stores the <a href=\"https:\/\/tedai-sanfrancisco.ted.com\/glossary\/weights\/\" target=\"_blank\" rel=\"nofollow noopener\">weights<\/a>, and loads them from the file using the <em>torch.load()<\/em> function. Trained models are often shared via various public repositories and, theoretically, they can contain malicious implants. Therefore, the <a href=\"https:\/\/github.com\/pytorch\/pytorch\/security\/advisories\/GHSA-53q9-r3pm-6pq6\" target=\"_blank\" rel=\"nofollow noopener\">official documentation<\/a> of the PyTorch project recommends using the <em>torch.load()<\/em> function with the <em>weights_only=True<\/em> parameter for security purposes (this way, only primitive data types are loaded: dictionaries, tensors, lists, and so on).<\/p>\n<p>The vulnerability CVE-2025-32434 exists due to an incorrectly implemented deserialization mechanism when loading a model. The researcher who discovered it demonstrated that an attacker can create a model file in such a way that the <em>weights_only=True<\/em> parameter will lead to the exact opposite effect, while the loading of this malicious model will lead to arbitrary code execution that can compromise the environment in which the model is run.<\/p>\n<h2>How to stay safe?<\/h2>\n<p>The researcher didn\u2019t publish a detailed method for exploiting this vulnerability, and at the moment there\u2019s no evidence that someone is using CVE-2025-32434 in actual attacks. However, the very fact of releasing a patch always attracts both researchers and attackers to the problem, so proof-of-concept exploits are most likely already being developed.<\/p>\n<p>The team responsible for developing the PyTorch framework released its update 2.6.0, in which the vulnerability CVE-2025-32434 was successfully fixed. All previous versions \u2013 up to 2.5.1 \u2013 remain vulnerable and should be updated as soon as possible. If this isn\u2019t possible for some reason, the researchers recommend refraining from using the <em>torch.load()<\/em> function with the <em>weights_only=True<\/em> parameter, and temporarily switching to alternative methods of model loading.<\/p>\n<p>In addition, we recommend paying special attention to protecting virtual and cloud environments \u2013 the easiest way to do this is by using\u00a0 <a href=\"https:\/\/www.kaspersky.com\/enterprise-security\/cloud-security?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder____khcs___\" target=\"_blank\" rel=\"noopener nofollow\">specialized solutions<\/a>.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"mdr\"><input type=\"hidden\" class=\"placeholder_for_banner\" data-cat_id=\"mdr\" value=\"37702\">\n","protected":false},"excerpt":{"rendered":"<p>Researchers have found a way to exploit a security mechanism in a popular machine-learning framework.<\/p>\n","protected":false},"author":2698,"featured_media":53312,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3051],"tags":[960,1876,268,4380],"class_list":{"0":"post-53311","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"tag-artificial-intelligence","10":"tag-machine-learning","11":"tag-vulnerabilities","12":"tag-vulnerability"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/vulnerability-in-pytorch-framework\/53311\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/vulnerability-in-pytorch-framework\/28763\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/vulnerability-in-pytorch-framework\/23999\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/vulnerability-in-pytorch-framework\/28877\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/vulnerability-in-pytorch-framework\/39398\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/vulnerability-in-pytorch-framework\/29042\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/vulnerability-in-pytorch-framework\/34823\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/vulnerability-in-pytorch-framework\/34455\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/vulnerability\/","name":"vulnerability"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/53311","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2698"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=53311"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/53311\/revisions"}],"predecessor-version":[{"id":53315,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/53311\/revisions\/53315"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/53312"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=53311"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=53311"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=53311"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}