AI Threat Alert

CVE-2025-3000: PyTorch: memory corruption in torch.jit.script compiler

GHSA-rrmf-rvhw-rf47 MEDIUM PoC AVAILABLE
Published March 31, 2025
CISO Take

PyTorch 2.6.0's JIT compiler has a memory corruption flaw (CWE-119) triggerable by any local user with low privileges — a realistic threat in shared ML infrastructure like JupyterHub, Kubeflow, or multi-tenant GPU clusters. A public exploit exists, raising near-term exploitation probability. Patch PyTorch when a fixed release is available and isolate untrusted code execution in the interim.

What is the risk?

Nominal CVSS of 5.3 (Medium) understates operational risk for organizations running shared ML infrastructure. Local attack vector is trivially satisfied in multi-user training environments. Low complexity + low privilege requirements + public exploit = elevated practical risk beyond the base score. No CISA KEV listing suggests no active mass exploitation yet, but the public PoC changes the calculus for exposed environments.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
PyTorch pip No patch
100.9K OpenSSF 6.4 22.7K dependents Pushed 3d ago 11% patched ~216d to patch Full package profile →
PyTorch pip <= 2.12.0 No patch
100.9K OpenSSF 6.4 22.7K dependents Pushed 3d ago 11% patched ~216d to patch Full package profile →

How severe is it?

CVSS 3.1
5.3 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 7% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C Low
I Low
A Low

What should I do?

5 steps

  1. Monitor pytorch/pytorch#149623 for patch release and prioritize upgrade to fixed version.

  2. Until patched: restrict torch.jit.script execution to trusted users only on shared ML platforms.

  3. Run all PyTorch workloads in isolated containers with restrictive seccomp/AppArmor profiles and no-new-privileges.

  4. Audit multi-tenant ML platforms for users who could submit arbitrary PyTorch code.

  5. Alert on unexpected PyTorch process crashes or OOM events in training infrastructure as potential exploitation indicators.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Framework Inference AML.T0010.001 AML.T0050 AML.T0105

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.1.2 - AI system risk assessment
NIST AI RMF
MANAGE 2.4 - Mechanisms for tracking, responding to and recovering from risks
OWASP LLM Top 10
LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-3000?

PyTorch 2.6.0's JIT compiler has a memory corruption flaw (CWE-119) triggerable by any local user with low privileges — a realistic threat in shared ML infrastructure like JupyterHub, Kubeflow, or multi-tenant GPU clusters. A public exploit exists, raising near-term exploitation probability. Patch PyTorch when a fixed release is available and isolate untrusted code execution in the interim.

Is CVE-2025-3000 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-3000, increasing the risk of exploitation.

How to fix CVE-2025-3000?

1. Monitor pytorch/pytorch#149623 for patch release and prioritize upgrade to fixed version. 2. Until patched: restrict torch.jit.script execution to trusted users only on shared ML platforms. 3. Run all PyTorch workloads in isolated containers with restrictive seccomp/AppArmor profiles and no-new-privileges. 4. Audit multi-tenant ML platforms for users who could submit arbitrary PyTorch code. 5. Alert on unexpected PyTorch process crashes or OOM events in training infrastructure as potential exploitation indicators.

What systems are affected by CVE-2025-3000?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, MLOps pipelines, multi-tenant GPU clusters, Jupyter/notebook environments.

What is the CVSS score for CVE-2025-3000?

CVE-2025-3000 has a CVSS v3.1 base score of 5.3 (MEDIUM). The EPSS exploitation probability is 0.17%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingMLOps pipelinesmulti-tenant GPU clustersJupyter/notebook environments

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0050 Command and Scripting Interpreter
AML.T0105 Escape to Host

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.1.2
NIST AI RMF: MANAGE 2.4
OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

A vulnerability classified as critical has been found in PyTorch 2.6.0. This affects the function torch.jit.script. The manipulation leads to memory corruption. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used.

Exploitation Scenario

An attacker with a low-privilege account on a shared GPU training server crafts a Python script invoking torch.jit.script with a malformed function or class designed to trigger the memory corruption bug. During JIT compilation, the manipulated input corrupts adjacent memory structures. Depending on heap layout, this could enable arbitrary write primitives for privilege escalation on the host or, in Kubernetes-based ML platforms, a path to container escape. In a supply chain scenario, a malicious dependency could silently inject the exploit into a training pipeline.

Weaknesses (CWE)

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Primary CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer: The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

  • [Requirements] Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer. Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe.
  • [Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

References

Timeline

Published
March 31, 2025
Last Modified
June 10, 2026
First Seen
March 31, 2025

Related Vulnerabilities

CRITICAL CVE-2024-5452 9.8

pytorch-lightning: RCE via deepdiff Delta deserialization

Same package: torch
CRITICAL CVE-2023-43654 9.8

TorchServe: SSRF + RCE via unrestricted model URL loading

Same package: torch
CRITICAL CVE-2022-45907 9.8

PyTorch: RCE via unsafe eval in JIT annotations

Same package: torch
CRITICAL CVE-2022-0845 9.8

pytorch-lightning: code injection enables full RCE

Same package: torch
CRITICAL CVE-2024-35198 9.8

TorchServe: URL bypass enables arbitrary model loading

Same package: torch
Back to Threat Feed