CVE-2025-30402 — HIGH (CVSS 8.1) AI Security Vulnerability

Q: Is CVE-2025-30402 actively exploited?

No confirmed active exploitation of CVE-2025-30402 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2025-30402?

1. Upgrade: pip install executorch>=0.7.0 or update Maven dependency to executorch-android:0.7.0-rc1. 2. Verify commit 93b1a0c15f7eda49b2bc46b5b4c49557b4e9810f is included in your build if using a custom build from source. 3. Restrict model loading to cryptographically signed, internally-verified model files only — reject unsigned or third-party model artifacts. 4. Audit OTA model update pipelines for integrity checks and chain-of-custody validation. 5. For Android deployments, check if the Maven package version is pinned in build.gradle and force update. 6. Detection: monitor for abnormal process crashes in inference workers; heap overflow exploits often leave crash signatures in logcat/syslog before achieving stable execution.

CISO Take

ExecuTorch's on-device inference runtime crashes and may allow code execution when loading maliciously crafted model files. Any mobile or edge AI deployment using ExecuTorch <= 0.6.0 should upgrade to 0.7.0 immediately — this includes Android apps using the Maven package. If models are loaded from external or user-controlled sources, treat this as critical regardless of EPSS score.

Risk Assessment

CVSS 8.1 (High) with very low EPSS (0.00096), not in CISA KEV. User interaction is required (UI:R), meaning exploitation likely requires a victim to load a crafted model file. Attack complexity is low and no privileges are needed, making it accessible to motivated attackers. The main risk vector is supply chain: orgs that pull models from public hubs, CDNs, or allow user-supplied model files are materially exposed. Confidentiality and availability both rated High — a successful exploit could crash the runtime or exfiltrate on-device data.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
executorch	pip	<= 0.6.0	`0.7.0-rc1`
4.6K 2 dependents Pushed 6d ago 92% patched ~64d to patch Full package profile →
executorch	pip	<= 0.6.0	`0.7.0`
4.6K 2 dependents Pushed 6d ago 92% patched ~64d to patch Full package profile →
org.pytorch:executorch-android	maven	<= 0.6.0	`0.7.0-rc1`

Severity & Risk

CVSS 3.1

8.1 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 63% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Network

AC Low

PR None

UI Required

S Unchanged

C High

I None

A High

Recommended Action

6 steps

Upgrade: pip install executorch>=0.7.0 or update Maven dependency to executorch-android:0.7.0-rc1.
Verify commit 93b1a0c15f7eda49b2bc46b5b4c49557b4e9810f is included in your build if using a custom build from source.
Restrict model loading to cryptographically signed, internally-verified model files only — reject unsigned or third-party model artifacts.
Audit OTA model update pipelines for integrity checks and chain-of-custody validation.
For Android deployments, check if the Maven package version is pinned in build.gradle and force update.
Detection: monitor for abnormal process crashes in inference workers; heap overflow exploits often leave crash signatures in logcat/syslog before achieving stable execution.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Framework Inference Model AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 17 - Quality Management System — third-party components Article 9 - Risk Management System

ISO 42001

A.6.1.4 - AI system risk management — third-party and supply chain

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place to respond to and recover from AI risks

OWASP LLM Top 10

LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-30402?

ExecuTorch's on-device inference runtime crashes and may allow code execution when loading maliciously crafted model files. Any mobile or edge AI deployment using ExecuTorch <= 0.6.0 should upgrade to 0.7.0 immediately — this includes Android apps using the Maven package. If models are loaded from external or user-controlled sources, treat this as critical regardless of EPSS score.

Is CVE-2025-30402 actively exploited?

No confirmed active exploitation of CVE-2025-30402 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-30402?

1. Upgrade: pip install executorch>=0.7.0 or update Maven dependency to executorch-android:0.7.0-rc1. 2. Verify commit 93b1a0c15f7eda49b2bc46b5b4c49557b4e9810f is included in your build if using a custom build from source. 3. Restrict model loading to cryptographically signed, internally-verified model files only — reject unsigned or third-party model artifacts. 4. Audit OTA model update pipelines for integrity checks and chain-of-custody validation. 5. For Android deployments, check if the Maven package version is pinned in build.gradle and force update. 6. Detection: monitor for abnormal process crashes in inference workers; heap overflow exploits often leave crash signatures in logcat/syslog before achieving stable execution.

What systems are affected by CVE-2025-30402?

This vulnerability affects the following AI/ML architecture patterns: on-device model inference, mobile ML deployment, edge AI / embedded inference, model serving, OTA model update pipelines.

What is the CVSS score for CVE-2025-30402?

CVE-2025-30402 has a CVSS v3.1 base score of 8.1 (HIGH). The EPSS exploitation probability is 0.43%.

Technical Details

NVD Description

A heap-buffer-overflow vulnerability in the loading of ExecuTorch methods can cause the runtime to crash and potentially result in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit 93b1a0c15f7eda49b2bc46b5b4c49557b4e9810f

Exploitation Scenario

An adversary crafts a malicious ExecuTorch model file (.pte) with a specially constructed method structure designed to trigger a heap buffer overflow during the method-loading phase. The attacker hosts this file on a public model repository (e.g., HuggingFace, a CDN, or a compromised model registry). A mobile app or edge device with an automatic model update feature downloads and loads the malicious file. The overflow corrupts heap memory, potentially overwriting function pointers or return addresses, enabling arbitrary code execution in the context of the inference process — which may have access to local sensor data, credentials stored on device, or serve as a pivot into the broader device OS.