PT-2025-42721 · Pypi · Scio-Pypi

Published

2025-10-09

·

Updated

2025-10-09

CVSS v4.0

9.3

Critical

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Impact

PyTorch reported a critical vulnerability when using torch.load, even with option weights only=True, for torch <= 2.5.1.
In scio <= 1.0.0, the lower bound for torch is 2.3.

Patches

The lower bound was changed to torch >= 2.6, starting from scio >= 1.0.1 (currently in dev state).

Workarounds

You can manually check that you are using torch >= 2.6.

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

GHSA-M9MP-6X32-5RHG

Affected Products

Scio-Pypi