CVE-2025-30404 — CRITICAL (CVSS 9.8) AI Security Vulnerability

Q: Is CVE-2025-30404 actively exploited?

No confirmed active exploitation of CVE-2025-30404 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2025-30404?

1. PATCH: Upgrade executorch (pip), executorch-android (Maven), or any source build to version 0.7.0 or commit d158236b1dc84539c1b16843bc74054c9dcba006 or later. 2. INVENTORY: Identify all services and mobile apps loading ExecuTorch models, especially those accepting models from external or user-controlled sources. 3. RESTRICT: Until patched, enforce strict model provenance — load only cryptographically signed models from internal registries; reject any externally sourced .pte files. 4. DETECT: Monitor for anomalous crashes or segfaults in model-loading components, which may indicate active probing or exploitation attempts. 5. SBOM: If running a mobile AI product, notify downstream users of the affected Android SDK dependency and release an updated build.

Q: What systems are affected by CVE-2025-30404?

This vulnerability affects the following AI/ML architecture patterns: Edge / on-device inference, Mobile AI applications (Android), Model serving pipelines, Model registry / distribution systems, CI/CD model validation pipelines.

Q: What is the CVSS score for CVE-2025-30404?

CVE-2025-30404 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.24%.

CISO Take

Any application loading ExecuTorch models — especially from untrusted or user-supplied sources — is exposed to unauthenticated remote code execution. This is a CVSS 9.8 with no privileges and no user interaction required, making it trivially weaponizable via a crafted model file. Patch to ExecuTorch 0.7.0 immediately and enforce model provenance controls until patched.

Risk Assessment

CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) puts this at maximum exploitability on paper. EPSS is currently very low (0.15%), suggesting no active exploitation detected yet, but the attack surface is broad: any mobile, edge, or server-side AI system that loads .pte model files is potentially reachable. The window between disclosure and weaponized PoC for integer overflow vulnerabilities in memory-unsafe contexts is historically short. Risk is HIGH for organizations running ExecuTorch in production, especially if model loading accepts externally-sourced files.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
executorch	pip	< 0.7.0	`0.7.0`
4.6K 2 dependents Pushed today 92% patched ~64d to patch Full package profile →
executorch	pip	< 0.7.0	`0.7.0`
4.6K 2 dependents Pushed today 92% patched ~64d to patch Full package profile →
org.pytorch:executorch-android	maven	< 0.7.0	`0.7.0`

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 48% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

Recommended Action

5 steps

PATCH

Upgrade executorch (pip), executorch-android (Maven), or any source build to version 0.7.0 or commit d158236b1dc84539c1b16843bc74054c9dcba006 or later.
INVENTORY

Identify all services and mobile apps loading ExecuTorch models, especially those accepting models from external or user-controlled sources.
RESTRICT

Until patched, enforce strict model provenance — load only cryptographically signed models from internal registries; reject any externally sourced .pte files.
DETECT

Monitor for anomalous crashes or segfaults in model-loading components, which may indicate active probing or exploitation attempts.
SBOM

If running a mobile AI product, notify downstream users of the affected Android SDK dependency and release an updated build.

CISA SSVC Assessment

Decision Track*

Exploitation none

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Framework Model Inference AML.T0002.001 - Models AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.2.2 - Suppliers and third-party relationships A.9.3.1 - Security of AI systems

NIST AI RMF

GOVERN 6.1 - Policies for AI risk in the supply chain MANAGE 2.2 - Mechanisms to address identified AI risks

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-30404?

Any application loading ExecuTorch models — especially from untrusted or user-supplied sources — is exposed to unauthenticated remote code execution. This is a CVSS 9.8 with no privileges and no user interaction required, making it trivially weaponizable via a crafted model file. Patch to ExecuTorch 0.7.0 immediately and enforce model provenance controls until patched.

Is CVE-2025-30404 actively exploited?

No confirmed active exploitation of CVE-2025-30404 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-30404?

1. PATCH: Upgrade executorch (pip), executorch-android (Maven), or any source build to version 0.7.0 or commit d158236b1dc84539c1b16843bc74054c9dcba006 or later. 2. INVENTORY: Identify all services and mobile apps loading ExecuTorch models, especially those accepting models from external or user-controlled sources. 3. RESTRICT: Until patched, enforce strict model provenance — load only cryptographically signed models from internal registries; reject any externally sourced .pte files. 4. DETECT: Monitor for anomalous crashes or segfaults in model-loading components, which may indicate active probing or exploitation attempts. 5. SBOM: If running a mobile AI product, notify downstream users of the affected Android SDK dependency and release an updated build.

What systems are affected by CVE-2025-30404?

This vulnerability affects the following AI/ML architecture patterns: Edge / on-device inference, Mobile AI applications (Android), Model serving pipelines, Model registry / distribution systems, CI/CD model validation pipelines.

What is the CVSS score for CVE-2025-30404?

CVE-2025-30404 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.24%.

Technical Details

NVD Description

An integer overflow vulnerability in the loading of ExecuTorch models can cause overlapping allocations, potentially resulting in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit d158236b1dc84539c1b16843bc74054c9dcba006.

Exploitation Scenario

An adversary crafts a malicious ExecuTorch model file (.pte) with integer values in the model header carefully chosen to trigger an overflow during allocation size calculation. When the target application loads this file — via a compromised model update server, a malicious model uploaded to a shared registry, or a social-engineered file download — the overflow causes two allocations to occupy overlapping memory regions. The adversary controls the content written to the second allocation, overwriting a function pointer or return address in the first. On next invocation of the corrupted structure, attacker-controlled code executes in the context of the mobile app or inference service. No authentication, credentials, or prior access to the target system is required beyond the ability to deliver the malicious model file.