CVE-2024-48063: PyTorch RCE — CRITICAL

CISO Take

PyTorch's RemoteModule deserializes arbitrary Python objects over the network without validation, enabling unauthenticated RCE. While PyTorch disputes this as intended behavior for trusted distributed environments, any organization exposing distributed PyTorch workers to untrusted networks is critically exposed. Audit network segmentation for all distributed training and inference infrastructure immediately—distributed PyTorch must never be reachable from untrusted networks.

What is the risk?

High real-world risk despite the disputed status. CVSS 9.8 reflects technical reality: unauthenticated network-accessible RCE with no interaction required. The dispute is a design philosophy argument—PyTorch assumes a trusted network for distributed features—but ML teams routinely misconfigure network exposure. In cloud environments with shared VPCs, multi-tenant clusters, or improperly segmented training farms, exploitation is trivial. A publicly available PoC exploit increases probability of opportunistic attacks significantly.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
PyTorch	pip	—	No patch
100.9K OpenSSF 6.4 22.7K dependents Pushed 2d ago 11% patched ~216d to patch Full package profile →

Do you use PyTorch? You're affected.

How severe is it?

CVSS 3.1

9.8 / 10

EPSS

1.6%

chance of exploitation in 30 days

Higher than 72% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

What should I do?

6 steps

Immediately audit network exposure: enumerate all PyTorch distributed workers and verify they are unreachable from untrusted networks.
Enforce strict network segmentation—distributed PyTorch RPC ports must be firewalled to the training cluster VPC only.
If remote access is required, route exclusively through authenticated VPN or bastion with mutual TLS.
No vendor patch available (vendor disputes as by-design)—mitigation is architectural, not code-based.
Detection: monitor for unexpected outbound connections from ML training nodes; alert on torch.distributed port access from non-whitelisted IPs.
Review PyTorch's official security policy on distributed features and validate your deployment assumptions match their threat model.

What does CISA's SSVC say?

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Framework Training Data AML.T0010.001 - AI Software AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI system security

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place to inventory AI systems and manage associated risks

OWASP LLM Top 10

LLM03:2025 - Supply Chain

Frequently Asked Questions

What is CVE-2024-48063?

PyTorch's RemoteModule deserializes arbitrary Python objects over the network without validation, enabling unauthenticated RCE. While PyTorch disputes this as intended behavior for trusted distributed environments, any organization exposing distributed PyTorch workers to untrusted networks is critically exposed. Audit network segmentation for all distributed training and inference infrastructure immediately—distributed PyTorch must never be reachable from untrusted networks.

Is CVE-2024-48063 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-48063, increasing the risk of exploitation.

How to fix CVE-2024-48063?

1. Immediately audit network exposure: enumerate all PyTorch distributed workers and verify they are unreachable from untrusted networks. 2. Enforce strict network segmentation—distributed PyTorch RPC ports must be firewalled to the training cluster VPC only. 3. If remote access is required, route exclusively through authenticated VPN or bastion with mutual TLS. 4. No vendor patch available (vendor disputes as by-design)—mitigation is architectural, not code-based. 5. Detection: monitor for unexpected outbound connections from ML training nodes; alert on torch.distributed port access from non-whitelisted IPs. 6. Review PyTorch's official security policy on distributed features and validate your deployment assumptions match their threat model.

What systems are affected by CVE-2024-48063?

This vulnerability affects the following AI/ML architecture patterns: Distributed training pipelines, Parameter server architectures, Distributed inference serving, Federated learning infrastructure, Multi-node ML clusters.

What is the CVSS score for CVE-2024-48063?

CVE-2024-48063 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 1.58%.

What is the AI security impact?

Affected AI Architectures

Distributed training pipelinesParameter server architecturesDistributed inference servingFederated learning infrastructureMulti-node ML clusters

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0025 Exfiltration via Cyber Means

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: 8.4

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

In PyTorch <=2.4.1, the RemoteModule has Deserialization RCE. NOTE: this is disputed by multiple parties because this is intended behavior in PyTorch distributed computing.

Exploitation Scenario

An adversary identifies a distributed PyTorch training cluster with RPC ports accessible from the internet or an adjacent compromised subnet. Using the published Notion-hosted PoC, they craft a malicious serialized Python pickle payload and send it to the RemoteModule RPC endpoint. PyTorch deserializes the payload without validation, executing arbitrary code as the training process user—typically with broad access to cloud credentials (AWS/GCP/Azure IAM roles), proprietary model weights, and training datasets. The attacker establishes persistence, exfiltrates model artifacts and data, and pivots laterally across all worker nodes participating in the distributed training job.

Weaknesses (CWE)

CWE-502 Deserialization of Untrusted Data Primary

CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

[Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
[Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Source: MITRE CWE corpus.