AI Threat Alert AI Threat Alert

CVE-2025-3000: PyTorch: memory corruption in torch.jit.script compiler

MEDIUM PoC AVAILABLE
Published March 31, 2025
CISO Take

PyTorch 2.6.0's JIT compiler has a memory corruption flaw (CWE-119) triggerable by any local user with low privileges — a realistic threat in shared ML infrastructure like JupyterHub, Kubeflow, or multi-tenant GPU clusters. A public exploit exists, raising near-term exploitation probability. Patch PyTorch when a fixed release is available and isolate untrusted code execution in the interim.

Risk Assessment

Nominal CVSS of 5.3 (Medium) understates operational risk for organizations running shared ML infrastructure. Local attack vector is trivially satisfied in multi-user training environments. Low complexity + low privilege requirements + public exploit = elevated practical risk beyond the base score. No CISA KEV listing suggests no active mass exploitation yet, but the public PoC changes the calculus for exposed environments.

Affected Systems

Package Ecosystem Vulnerable Range Patched
pytorch pip No patch
99.8K OpenSSF 6.4 21.9K dependents Pushed today 8% patched ~142d to patch Full package profile →

Do you use pytorch? You're affected.

Severity & Risk

CVSS 3.1
5.3 / 10
EPSS
0.1%
chance of exploitation in 30 days
Higher than 21% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C Low
I Low
A Low

Recommended Action

5 steps

  1. Monitor pytorch/pytorch#149623 for patch release and prioritize upgrade to fixed version.

  2. Until patched: restrict torch.jit.script execution to trusted users only on shared ML platforms.

  3. Run all PyTorch workloads in isolated containers with restrictive seccomp/AppArmor profiles and no-new-privileges.

  4. Audit multi-tenant ML platforms for users who could submit arbitrary PyTorch code.

  5. Alert on unexpected PyTorch process crashes or OOM events in training infrastructure as potential exploitation indicators.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Framework Inference AML.T0010.001 AML.T0050 AML.T0105

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.1.2 - AI system risk assessment
NIST AI RMF
MANAGE 2.4 - Mechanisms for tracking, responding to and recovering from risks
OWASP LLM Top 10
LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-3000?

PyTorch 2.6.0's JIT compiler has a memory corruption flaw (CWE-119) triggerable by any local user with low privileges — a realistic threat in shared ML infrastructure like JupyterHub, Kubeflow, or multi-tenant GPU clusters. A public exploit exists, raising near-term exploitation probability. Patch PyTorch when a fixed release is available and isolate untrusted code execution in the interim.

Is CVE-2025-3000 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-3000, increasing the risk of exploitation.

How to fix CVE-2025-3000?

1. Monitor pytorch/pytorch#149623 for patch release and prioritize upgrade to fixed version. 2. Until patched: restrict torch.jit.script execution to trusted users only on shared ML platforms. 3. Run all PyTorch workloads in isolated containers with restrictive seccomp/AppArmor profiles and no-new-privileges. 4. Audit multi-tenant ML platforms for users who could submit arbitrary PyTorch code. 5. Alert on unexpected PyTorch process crashes or OOM events in training infrastructure as potential exploitation indicators.

What systems are affected by CVE-2025-3000?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, MLOps pipelines, multi-tenant GPU clusters, Jupyter/notebook environments.

What is the CVSS score for CVE-2025-3000?

CVE-2025-3000 has a CVSS v3.1 base score of 5.3 (MEDIUM). The EPSS exploitation probability is 0.07%.

Technical Details

NVD Description

A vulnerability classified as critical has been found in PyTorch 2.6.0. This affects the function torch.jit.script. The manipulation leads to memory corruption. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used.

Exploitation Scenario

An attacker with a low-privilege account on a shared GPU training server crafts a Python script invoking torch.jit.script with a malformed function or class designed to trigger the memory corruption bug. During JIT compilation, the manipulated input corrupts adjacent memory structures. Depending on heap layout, this could enable arbitrary write primitives for privilege escalation on the host or, in Kubernetes-based ML platforms, a path to container escape. In a supply chain scenario, a malicious dependency could silently inject the exploit into a training pipeline.

Weaknesses (CWE)

CWE-119

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

References

Timeline

Published
March 31, 2025
Last Modified
May 29, 2025
First Seen
March 31, 2025

Related Vulnerabilities

CRITICAL CVE-2024-5452 9.8

pytorch-lightning: RCE via deepdiff Delta deserialization

Same package: torch
CRITICAL CVE-2023-43654 9.8

TorchServe: SSRF + RCE via unrestricted model URL loading

Same package: torch
CRITICAL CVE-2022-45907 9.8

PyTorch: RCE via unsafe eval in JIT annotations

Same package: torch
CRITICAL CVE-2022-0845 9.8

pytorch-lightning: code injection enables full RCE

Same package: torch
CRITICAL CVE-2024-35198 9.8

TorchServe: URL bypass enables arbitrary model loading

Same package: torch
Back to Threat Feed