AI Threat Alert AI Threat Alert

CVE-2025-30405: ExecuTorch: integer overflow in model load → RCE

GHSA-84m3-f99p-cqx5 CRITICAL CISA: TRACK*
Published August 8, 2025
CISO Take

ExecuTorch is Meta's on-device AI inference runtime deployed in Android apps and Python pipelines. A CVSS 9.8 integer overflow during model loading enables remote code execution with no authentication and no user interaction required — any deployment that loads externally-sourced models is fully exposed. Patch to 0.7.0 immediately and audit all mobile/edge AI deployments that consume models from untrusted or update-served sources.

Risk Assessment

CRITICAL. The CVSS vector (AV:N/AC:L/PR:N/UI:N) represents the worst-case exploitability profile: no privileges, no interaction, low complexity. The primary amplifier is the mobile AI supply chain — apps that fetch models over the air or from model registries are trivially exploitable if an adversary can intercept or substitute the model file. EPSS at 0.15% reflects limited observed exploitation today, but the low attack complexity and high impact make this a high-priority target for threat actors targeting mobile AI stacks. Android deployments (Maven package) carry additional risk due to fragmented patching velocity.

Affected Systems

Package Ecosystem Vulnerable Range Patched
executorch pip < 0.7.0 0.7.0
4.6K 2 dependents Pushed 6d ago 92% patched ~64d to patch Full package profile →
executorch pip < 0.7.0 0.7.0
4.6K 2 dependents Pushed 6d ago 92% patched ~64d to patch Full package profile →
org.pytorch:executorch-android maven < 0.7.0 0.7.0

Severity & Risk

CVSS 3.1
9.8 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 48% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Moderate

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

Recommended Action

1 step

  1. 1) PATCH: Upgrade executorch pip package to >=0.7.0 and executorch-android Maven artifact to >=0.7.0. Reference commit: 0830af8207240df8d7f35b984cdf8bc35d74fa73. 2) INVENTORY: Identify all internal services, CI systems, and mobile apps loading ExecuTorch models. 3) MODEL PROVENANCE: Enforce cryptographic signing and hash verification of all .pte model files before loading — reject unsigned or unverified artifacts. 4) ISOLATION: Run ExecuTorch model loading in sandboxed processes with minimal privileges; use seccomp/AppArmor on Linux deployments. 5) NETWORK CONTROLS: If models are fetched remotely, enforce TLS certificate pinning and restrict model download endpoints. 6) DETECT: Monitor for crash signals (SIGSEGV, heap corruption reports) in applications loading ExecuTorch models as potential exploitation indicators. 7) SHORT-TERM WORKAROUND: If patching is not immediately possible, load models only from immutable, locally-bundled sources under your direct control.

CISA SSVC Assessment

Decision Track*
Exploitation none
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Framework Model Inference AML.T0010.001 AML.T0010.003 AML.T0011.000 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity for high-risk AI systems Article 9 - Risk management system
ISO 42001
6.1.2 - AI risk assessment 8.4 - AI system lifecycle management
NIST AI RMF
GOVERN 1.7 - Processes for decommissioning and phase-out of AI systems MANAGE 2.2 - Mechanisms are in place to mitigate or respond to risks
OWASP LLM Top 10
LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-30405?

ExecuTorch is Meta's on-device AI inference runtime deployed in Android apps and Python pipelines. A CVSS 9.8 integer overflow during model loading enables remote code execution with no authentication and no user interaction required — any deployment that loads externally-sourced models is fully exposed. Patch to 0.7.0 immediately and audit all mobile/edge AI deployments that consume models from untrusted or update-served sources.

Is CVE-2025-30405 actively exploited?

No confirmed active exploitation of CVE-2025-30405 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-30405?

1) PATCH: Upgrade executorch pip package to >=0.7.0 and executorch-android Maven artifact to >=0.7.0. Reference commit: 0830af8207240df8d7f35b984cdf8bc35d74fa73. 2) INVENTORY: Identify all internal services, CI systems, and mobile apps loading ExecuTorch models. 3) MODEL PROVENANCE: Enforce cryptographic signing and hash verification of all .pte model files before loading — reject unsigned or unverified artifacts. 4) ISOLATION: Run ExecuTorch model loading in sandboxed processes with minimal privileges; use seccomp/AppArmor on Linux deployments. 5) NETWORK CONTROLS: If models are fetched remotely, enforce TLS certificate pinning and restrict model download endpoints. 6) DETECT: Monitor for crash signals (SIGSEGV, heap corruption reports) in applications loading ExecuTorch models as potential exploitation indicators. 7) SHORT-TERM WORKAROUND: If patching is not immediately possible, load models only from immutable, locally-bundled sources under your direct control.

What systems are affected by CVE-2025-30405?

This vulnerability affects the following AI/ML architecture patterns: edge inference, mobile AI deployment, on-device model serving, model serving, training pipelines.

What is the CVSS score for CVE-2025-30405?

CVE-2025-30405 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.24%.

Technical Details

NVD Description

An integer overflow vulnerability in the loading of ExecuTorch models can cause objects to be placed outside their allocated memory area, potentially resulting in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit 0830af8207240df8d7f35b984cdf8bc35d74fa73.

Exploitation Scenario

An adversary targeting a financial services firm's mobile app that uses ExecuTorch for on-device fraud detection identifies the app fetches updated model files from an S3 bucket over HTTPS. The adversary compromises the S3 bucket credentials (or performs a DNS hijack on the update endpoint), then crafts a malicious .pte model file with a specially constructed header where dimension or size fields are set to near-maximal integer values. When the app loads the model on startup, the integer overflow causes the runtime to allocate a small buffer while writing model objects to memory far outside that buffer. This corrupts adjacent heap structures and, with a moderately tuned payload, achieves RCE in the app's process context — gaining access to biometric data, credentials cached in-memory, and device sensors. The attack requires no user action beyond the app's normal background model refresh.

Weaknesses (CWE)

CWE-190 Integer Overflow or Wraparound Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
August 8, 2025
Last Modified
October 6, 2025
First Seen
March 24, 2026

Related Vulnerabilities

CRITICAL CVE-2025-30404 9.8

ExecuTorch: integer overflow RCE on model load

Same package: executorch
CRITICAL CVE-2025-54949 9.8

ExecuTorch: heap buffer overflow RCE via model loading

Same package: executorch
CRITICAL CVE-2025-54951 9.8

ExecuTorch: heap buffer overflow RCE in model loading

Same package: executorch
CRITICAL CVE-2025-54950 9.8

ExecuTorch: OOB read in model loader enables RCE

Same package: executorch
HIGH CVE-2025-30402 8.1

ExecuTorch: heap overflow in method load, RCE risk

Same package: executorch
Back to Threat Feed