CVE-2025-32434

Name of the Vulnerable Software and Affected Versions PyTorch versions prior to 2.6.0 PyTorch ≤2.5.1

Description PyTorch is vulnerable to a Remote Command Execution (RCE) vulnerability. This flaw exists in versions 2.5.1 and prior, specifically when loading a model using the torch.load() function with the weights only=True parameter. Despite being previously considered a safe practice, loading models with this configuration can now lead to arbitrary code execution. The vulnerability allows attackers to craft malicious model files that can execute code on the victim system. The torch.load() function, when used with weights only=True, is susceptible to exploitation due to insecure deserialization. This vulnerability has a CVSS score of 9.3 and is considered critical.

Recommendations Upgrade to PyTorch version 2.6.0 or later to address this vulnerability. As an interim measure, avoid using torch.load() with external files and implement additional verification of model content.