CVE-2024-48063 — CRITICAL (CVSS 9.8) AI Security Vulnerability

CISO Take

PyTorch's RemoteModule deserializes arbitrary Python objects over the network without validation, enabling unauthenticated RCE. While PyTorch disputes this as intended behavior for trusted distributed environments, any organization exposing distributed PyTorch workers to untrusted networks is critically exposed. Audit network segmentation for all distributed training and inference infrastructure immediately—distributed PyTorch must never be reachable from untrusted networks.

Risk Assessment

High real-world risk despite the disputed status. CVSS 9.8 reflects technical reality: unauthenticated network-accessible RCE with no interaction required. The dispute is a design philosophy argument—PyTorch assumes a trusted network for distributed features—but ML teams routinely misconfigure network exposure. In cloud environments with shared VPCs, multi-tenant clusters, or improperly segmented training farms, exploitation is trivial. A publicly available PoC exploit increases probability of opportunistic attacks significantly.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
pytorch	pip	—	No patch
99.6K OpenSSF 6.4 21.7K dependents Pushed 6d ago 8% patched ~142d to patch Full package profile →

Do you use pytorch? You're affected.

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

25.1%

chance of exploitation in 30 days

Higher than 96% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

○ EPSS exploit prediction: 25%

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

Recommended Action

6 steps

Immediately audit network exposure: enumerate all PyTorch distributed workers and verify they are unreachable from untrusted networks.
Enforce strict network segmentation—distributed PyTorch RPC ports must be firewalled to the training cluster VPC only.
If remote access is required, route exclusively through authenticated VPN or bastion with mutual TLS.
No vendor patch available (vendor disputes as by-design)—mitigation is architectural, not code-based.
Detection: monitor for unexpected outbound connections from ML training nodes; alert on torch.distributed port access from non-whitelisted IPs.
Review PyTorch's official security policy on distributed features and validate your deployment assumptions match their threat model.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Framework Training Data AML.T0010.001 - AI Software AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI system security

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place to inventory AI systems and manage associated risks

OWASP LLM Top 10

LLM03:2025 - Supply Chain

Frequently Asked Questions

What is CVE-2024-48063?

PyTorch's RemoteModule deserializes arbitrary Python objects over the network without validation, enabling unauthenticated RCE. While PyTorch disputes this as intended behavior for trusted distributed environments, any organization exposing distributed PyTorch workers to untrusted networks is critically exposed. Audit network segmentation for all distributed training and inference infrastructure immediately—distributed PyTorch must never be reachable from untrusted networks.

Is CVE-2024-48063 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-48063, increasing the risk of exploitation.

How to fix CVE-2024-48063?

1. Immediately audit network exposure: enumerate all PyTorch distributed workers and verify they are unreachable from untrusted networks. 2. Enforce strict network segmentation—distributed PyTorch RPC ports must be firewalled to the training cluster VPC only. 3. If remote access is required, route exclusively through authenticated VPN or bastion with mutual TLS. 4. No vendor patch available (vendor disputes as by-design)—mitigation is architectural, not code-based. 5. Detection: monitor for unexpected outbound connections from ML training nodes; alert on torch.distributed port access from non-whitelisted IPs. 6. Review PyTorch's official security policy on distributed features and validate your deployment assumptions match their threat model.

What systems are affected by CVE-2024-48063?

This vulnerability affects the following AI/ML architecture patterns: Distributed training pipelines, Parameter server architectures, Distributed inference serving, Federated learning infrastructure, Multi-node ML clusters.

What is the CVSS score for CVE-2024-48063?

CVE-2024-48063 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 25.10%.

Technical Details

NVD Description

In PyTorch <=2.4.1, the RemoteModule has Deserialization RCE. NOTE: this is disputed by multiple parties because this is intended behavior in PyTorch distributed computing.

Exploitation Scenario

An adversary identifies a distributed PyTorch training cluster with RPC ports accessible from the internet or an adjacent compromised subnet. Using the published Notion-hosted PoC, they craft a malicious serialized Python pickle payload and send it to the RemoteModule RPC endpoint. PyTorch deserializes the payload without validation, executing arbitrary code as the training process user—typically with broad access to cloud credentials (AWS/GCP/Azure IAM roles), proprietary model weights, and training datasets. The attacker establishes persistence, exfiltrates model artifacts and data, and pivots laterally across all worker nodes participating in the distributed training job.