CVE-2025-2149 — LOW (CVSS 2.5) AI Security Vulnerability

CISO Take

This low-severity flaw in PyTorch 2.6.0's quantized Sigmoid module allows a local attacker with limited privileges to corrupt scale/zero_point initialization, silently degrading model prediction integrity. Not actively exploited and requires local access with high complexity — deprioritize patching unless running inference workloads on multi-tenant or shared GPU infrastructure. Monitor for PyTorch patch releases and schedule upgrade in next maintenance window.

Risk Assessment

Risk is LOW in isolation. CVSS 2.5 reflects local-only access, high attack complexity, and integrity-only impact. However, in AI/ML pipelines where quantized models are deployed on shared inference servers, an insider or compromised process could exploit this to introduce subtle, hard-to-detect prediction errors. The real risk is not immediate compromise but undetected model integrity erosion — particularly dangerous in safety-critical or compliance-sensitive AI workloads.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
pytorch	pip	—	No patch
99.6K OpenSSF 6.4 21.7K dependents Pushed 6d ago 8% patched ~142d to patch Full package profile →

Do you use pytorch? You're affected.

Severity & Risk

CVSS 3.1

2.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 16% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC High

PR Low

UI None

S Unchanged

C None

I Low

A None

Recommended Action

6 steps

Inventory PyTorch versions across inference and training infrastructure — flag any deployment on 2.6.0+cu124.
Avoid using torch.nn.quantized.Sigmoid with unvalidated scale/zero_point arguments until patched.
Validate quantization parameters at model load time: assert scale > 0 and zero_point is within expected integer range.
Monitor GitHub issue #147818 for upstream patch status.
If quantized inference is critical, consider downgrading to PyTorch 2.5.x as a temporary workaround.
For production serving, enforce process isolation on inference workers to limit local privilege escalation paths.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Supply Chain Adversarial Examples Framework Inference Model AML.T0010.001 - AI Software AML.T0018 - Manipulate AI Model AML.T0031 - Erode AI Model Integrity

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI system development — Data for AI systems

NIST AI RMF

MEASURE 2.5 - AI system performance and trustworthiness evaluated

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-2149?

This low-severity flaw in PyTorch 2.6.0's quantized Sigmoid module allows a local attacker with limited privileges to corrupt scale/zero_point initialization, silently degrading model prediction integrity. Not actively exploited and requires local access with high complexity — deprioritize patching unless running inference workloads on multi-tenant or shared GPU infrastructure. Monitor for PyTorch patch releases and schedule upgrade in next maintenance window.

Is CVE-2025-2149 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-2149, increasing the risk of exploitation.

How to fix CVE-2025-2149?

1. Inventory PyTorch versions across inference and training infrastructure — flag any deployment on 2.6.0+cu124. 2. Avoid using `torch.nn.quantized.Sigmoid` with unvalidated scale/zero_point arguments until patched. 3. Validate quantization parameters at model load time: assert scale > 0 and zero_point is within expected integer range. 4. Monitor GitHub issue #147818 for upstream patch status. 5. If quantized inference is critical, consider downgrading to PyTorch 2.5.x as a temporary workaround. 6. For production serving, enforce process isolation on inference workers to limit local privilege escalation paths.

What systems are affected by CVE-2025-2149?

This vulnerability affects the following AI/ML architecture patterns: quantized inference serving, training pipelines, model serving, edge AI deployments.

What is the CVSS score for CVE-2025-2149?

CVE-2025-2149 has a CVSS v3.1 base score of 2.5 (LOW). The EPSS exploitation probability is 0.05%.

Technical Details

NVD Description

A vulnerability was found in PyTorch 2.6.0+cu124. It has been rated as problematic. Affected by this issue is the function nnq_Sigmoid of the component Quantized Sigmoid Module. The manipulation of the argument scale/zero_point leads to improper initialization. The attack needs to be approached locally. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.

Exploitation Scenario

A malicious insider or compromised CI/CD process with user-level access to an inference server constructs a PyTorch model artifact that instantiates `nnq_Sigmoid` with crafted scale=0.001 and zero_point=255. When the model is loaded and executed in production, the quantized activation output maps incorrectly, causing the model to systematically misclassify specific inputs. In a content moderation or fraud detection pipeline, this creates a reliable bypass: attacker-controlled inputs pass through undetected while legitimate traffic may be misflagged. The integrity degradation is subtle and unlikely to trigger standard accuracy-monitoring thresholds unless A/B comparisons against full-precision models are in place.