AI Threat Alert
CVE-2025-30405: ExecuTorch: integer overflow in model load → RCE
GHSA-84m3-f99p-cqx5 CRITICAL CISA: TRACK*ExecuTorch is Meta's on-device AI inference runtime deployed in Android apps and Python pipelines. A CVSS 9.8 integer overflow during model loading enables remote code execution with no authentication and no user interaction required — any deployment that loads externally-sourced models is fully exposed. Patch to 0.7.0 immediately and audit all mobile/edge AI deployments that consume models from untrusted or update-served sources.
What is the risk?
CRITICAL. The CVSS vector (AV:N/AC:L/PR:N/UI:N) represents the worst-case exploitability profile: no privileges, no interaction, low complexity. The primary amplifier is the mobile AI supply chain — apps that fetch models over the air or from model registries are trivially exploitable if an adversary can intercept or substitute the model file. EPSS at 0.15% reflects limited observed exploitation today, but the low attack complexity and high impact make this a high-priority target for threat actors targeting mobile AI stacks. Android deployments (Maven package) carry additional risk due to fragmented patching velocity.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| ExecuTorch | pip | < 0.7.0 | 0.7.0 |
| ExecuTorch | pip | < 0.7.0 | 0.7.0 |
| org.pytorch:executorch-android | maven | < 0.7.0 | 0.7.0 |
How severe is it?
What is the attack surface?
What should I do?
1 step-
1) PATCH: Upgrade executorch pip package to >=0.7.0 and executorch-android Maven artifact to >=0.7.0. Reference commit: 0830af8207240df8d7f35b984cdf8bc35d74fa73. 2) INVENTORY: Identify all internal services, CI systems, and mobile apps loading ExecuTorch models. 3) MODEL PROVENANCE: Enforce cryptographic signing and hash verification of all .pte model files before loading — reject unsigned or unverified artifacts. 4) ISOLATION: Run ExecuTorch model loading in sandboxed processes with minimal privileges; use seccomp/AppArmor on Linux deployments. 5) NETWORK CONTROLS: If models are fetched remotely, enforce TLS certificate pinning and restrict model download endpoints. 6) DETECT: Monitor for crash signals (SIGSEGV, heap corruption reports) in applications loading ExecuTorch models as potential exploitation indicators. 7) SHORT-TERM WORKAROUND: If patching is not immediately possible, load models only from immutable, locally-bundled sources under your direct control.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2025-30405?
ExecuTorch is Meta's on-device AI inference runtime deployed in Android apps and Python pipelines. A CVSS 9.8 integer overflow during model loading enables remote code execution with no authentication and no user interaction required — any deployment that loads externally-sourced models is fully exposed. Patch to 0.7.0 immediately and audit all mobile/edge AI deployments that consume models from untrusted or update-served sources.
Is CVE-2025-30405 actively exploited?
No confirmed active exploitation of CVE-2025-30405 has been reported, but organizations should still patch proactively.
How to fix CVE-2025-30405?
1) PATCH: Upgrade executorch pip package to >=0.7.0 and executorch-android Maven artifact to >=0.7.0. Reference commit: 0830af8207240df8d7f35b984cdf8bc35d74fa73. 2) INVENTORY: Identify all internal services, CI systems, and mobile apps loading ExecuTorch models. 3) MODEL PROVENANCE: Enforce cryptographic signing and hash verification of all .pte model files before loading — reject unsigned or unverified artifacts. 4) ISOLATION: Run ExecuTorch model loading in sandboxed processes with minimal privileges; use seccomp/AppArmor on Linux deployments. 5) NETWORK CONTROLS: If models are fetched remotely, enforce TLS certificate pinning and restrict model download endpoints. 6) DETECT: Monitor for crash signals (SIGSEGV, heap corruption reports) in applications loading ExecuTorch models as potential exploitation indicators. 7) SHORT-TERM WORKAROUND: If patching is not immediately possible, load models only from immutable, locally-bundled sources under your direct control.
What systems are affected by CVE-2025-30405?
This vulnerability affects the following AI/ML architecture patterns: edge inference, mobile AI deployment, on-device model serving, model serving, training pipelines.
What is the CVSS score for CVE-2025-30405?
CVE-2025-30405 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.57%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0010.003 Model AML.T0011.000 Unsafe AI Artifacts AML.T0049 Exploit Public-Facing Application Compliance Controls Affected
What are the technical details?
Original Advisory
An integer overflow vulnerability in the loading of ExecuTorch models can cause objects to be placed outside their allocated memory area, potentially resulting in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit 0830af8207240df8d7f35b984cdf8bc35d74fa73.
Exploitation Scenario
An adversary targeting a financial services firm's mobile app that uses ExecuTorch for on-device fraud detection identifies the app fetches updated model files from an S3 bucket over HTTPS. The adversary compromises the S3 bucket credentials (or performs a DNS hijack on the update endpoint), then crafts a malicious .pte model file with a specially constructed header where dimension or size fields are set to near-maximal integer values. When the app loads the model on startup, the integer overflow causes the runtime to allocate a small buffer while writing model objects to memory far outside that buffer. This corrupts adjacent heap structures and, with a moderately tuned payload, achieves RCE in the app's process context — gaining access to biometric data, credentials cached in-memory, and device sensors. The attack requires no user action beyond the app's normal background model refresh.
Weaknesses (CWE)
CWE-190 — Integer Overflow or Wraparound: The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
- [Requirements] Ensure that all protocols are strictly defined, such that all out-of-bounds behavior can be identified simply, and require strict conformance to the protocol.
- [Requirements] Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. If possible, choose a language or compiler that performs automatic bounds checking.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References
Timeline
Related Vulnerabilities
CVE-2025-30404 9.8 ExecuTorch: integer overflow RCE on model load
Same package: executorch CVE-2025-54949 9.8 ExecuTorch: heap buffer overflow RCE via model loading
Same package: executorch CVE-2025-54951 9.8 ExecuTorch: heap buffer overflow RCE in model loading
Same package: executorch CVE-2025-54950 9.8 ExecuTorch: OOB read in model loader enables RCE
Same package: executorch CVE-2025-30402 8.1 ExecuTorch: heap overflow in method load, RCE risk
Same package: executorch