CVE-2025-2148 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

PyTorch 2.6.0+cu124 contains a memory corruption flaw in its JIT profiler that can be triggered remotely. While high attack complexity and required user interaction reduce immediate exploitation risk, organizations running this exact build in training clusters or GPU-accelerated inference should upgrade and monitor pytorch/pytorch#147722 for a patch. Disable JIT profiling in production as a compensating control until a fix is available.

Risk Assessment

High severity with constrained real-world exploitability. CVSS 7.5 reflects full-compromise potential (C:H/I:H/A:H), but AC:H and UI:R requirements significantly limit opportunistic attacks. Primary risk is in organizations running PyTorch 2.6.0+cu124 with any network-accessible surface—common in model serving APIs and distributed training setups. No public PoC or active exploitation observed; not in CISA KEV. Risk escalates if a weaponized PoC is published given PyTorch's ubiquity across the ML ecosystem.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
pytorch	pip	—	No patch
99.8K OpenSSF 6.4 21.9K dependents Pushed today 8% patched ~142d to patch Full package profile →

Do you use pytorch? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 24% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Advanced

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC High

PR None

UI Required

S Unchanged

C High

I High

A High

Recommended Action

6 steps

Inventory: identify all PyTorch 2.6.0+cu124 deployments (pip show torch | grep Version).
Patch: upgrade to a patched PyTorch release once available; monitor pytorch/pytorch#147722 for fix status.
Compensating control: disable torch.profiler invocation in production code paths.
Network isolation: restrict inbound access to model serving endpoints backed by PyTorch (TorchServe, FastAPI/Triton wrappers).
Detection: alert on segfaults or abnormal memory errors in PyTorch processes; crashes in JIT/profiler context are IOCs.
Avoid loading untrusted serialized models (.pt/.pth) or executing untrusted PyTorch scripts in any environment using this build.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Framework Inference AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity for high-risk AI systems

ISO 42001

A.10.1 - AI system security

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain the value of deployed AI are evaluated and applied

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-2148?

PyTorch 2.6.0+cu124 contains a memory corruption flaw in its JIT profiler that can be triggered remotely. While high attack complexity and required user interaction reduce immediate exploitation risk, organizations running this exact build in training clusters or GPU-accelerated inference should upgrade and monitor pytorch/pytorch#147722 for a patch. Disable JIT profiling in production as a compensating control until a fix is available.

Is CVE-2025-2148 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-2148, increasing the risk of exploitation.

How to fix CVE-2025-2148?

1. Inventory: identify all PyTorch 2.6.0+cu124 deployments (pip show torch | grep Version). 2. Patch: upgrade to a patched PyTorch release once available; monitor pytorch/pytorch#147722 for fix status. 3. Compensating control: disable torch.profiler invocation in production code paths. 4. Network isolation: restrict inbound access to model serving endpoints backed by PyTorch (TorchServe, FastAPI/Triton wrappers). 5. Detection: alert on segfaults or abnormal memory errors in PyTorch processes; crashes in JIT/profiler context are IOCs. 6. Avoid loading untrusted serialized models (.pt/.pth) or executing untrusted PyTorch scripts in any environment using this build.

What systems are affected by CVE-2025-2148?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, ML development environments.

What is the CVSS score for CVE-2025-2148?

CVE-2025-2148 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.08%.

Technical Details

NVD Description

A vulnerability was found in PyTorch 2.6.0+cu124. It has been declared as critical. Affected by this vulnerability is the function torch.ops.profiler._call_end_callbacks_on_jit_fut of the component Tuple Handler. The manipulation of the argument None leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult.

Exploitation Scenario

An adversary targets an organization running a model serving API backed by PyTorch 2.6.0+cu124 with JIT compilation enabled. By crafting a malicious serialized model or adversarial inference request that routes through the profiler's JIT future callback handler with a None tuple argument, the attacker triggers memory corruption. In a realistic scenario—a TorchServe endpoint or Jupyter notebook server reachable over the network—this could escalate to remote code execution on the ML host, compromising training data, model weights, and any cloud credentials stored in the environment. User interaction (e.g., loading the crafted artifact) remains a required step, making phishing or dependency confusion a likely delivery vector.