CVE-2025-32434

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-32434
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-32434.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-32434
Aliases
Published
2025-04-18T16:15:23Z
Modified
2025-04-22T07:58:41.347412Z
Summary
[none]
Details

PyTorch is a Python package that provides tensor computation with strong GPU acceleration and deep neural networks built on a tape-based autograd system. In version 2.5.1 and prior, a Remote Command Execution (RCE) vulnerability exists in PyTorch when loading a model using torch.load with weights_only=True. This issue has been patched in version 2.6.0.

References

Affected packages

Debian:11 / pytorch

Package

Name
pytorch
Purl
pkg:deb/debian/pytorch?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.7.1-7
1.8.1-1
1.8.1-2
1.8.1-3
1.8.1-4
1.8.1-5
1.12.0~rc1-1
1.12.0-1
1.12.1-1
1.13.1+dfsg-1
1.13.1+dfsg-2
1.13.1+dfsg-3
1.13.1+dfsg-4
1.13.1+dfsg-5

2.*

2.0.1+dfsg-1~exp1
2.0.1+dfsg-1
2.0.1+dfsg-2
2.0.1+dfsg-4
2.0.1+dfsg-5
2.1.2+dfsg-1
2.1.2+dfsg-2
2.1.2+dfsg-4
2.4.1-1
2.4.1-3
2.4.1-4
2.5.0+dfsg-1
2.5.1+dfsg-1
2.5.1+dfsg-3
2.5.1+dfsg-4
2.6.0~rc9+dfsg-1~exp1
2.6.0+dfsg-1~exp1
2.6.0+dfsg-1
2.6.0+dfsg-2
2.6.0+dfsg-3
2.6.0+dfsg-4
2.6.0+dfsg-5
2.6.0+dfsg-7

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / pytorch

Package

Name
pytorch
Purl
pkg:deb/debian/pytorch?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.13.1+dfsg-4
1.13.1+dfsg-5

2.*

2.0.1+dfsg-1~exp1
2.0.1+dfsg-1
2.0.1+dfsg-2
2.0.1+dfsg-4
2.0.1+dfsg-5
2.1.2+dfsg-1
2.1.2+dfsg-2
2.1.2+dfsg-4
2.4.1-1
2.4.1-3
2.4.1-4
2.5.0+dfsg-1
2.5.1+dfsg-1
2.5.1+dfsg-3
2.5.1+dfsg-4
2.6.0~rc9+dfsg-1~exp1
2.6.0+dfsg-1~exp1
2.6.0+dfsg-1
2.6.0+dfsg-2
2.6.0+dfsg-3
2.6.0+dfsg-4
2.6.0+dfsg-5
2.6.0+dfsg-7

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / pytorch

Package

Name
pytorch
Purl
pkg:deb/debian/pytorch?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.6.0+dfsg-1

Affected versions

1.*

1.13.1+dfsg-4
1.13.1+dfsg-5

2.*

2.0.1+dfsg-1~exp1
2.0.1+dfsg-1
2.0.1+dfsg-2
2.0.1+dfsg-4
2.0.1+dfsg-5
2.1.2+dfsg-1
2.1.2+dfsg-2
2.1.2+dfsg-4
2.4.1-1
2.4.1-3
2.4.1-4
2.5.0+dfsg-1
2.5.1+dfsg-1
2.5.1+dfsg-3
2.5.1+dfsg-4
2.6.0~rc9+dfsg-1~exp1
2.6.0+dfsg-1~exp1

Ecosystem specific

{
    "urgency": "not yet assigned"
}