CVE-2025-32434 — CRITICAL (CVSS 9.8) AI Security Vulnerability

CISO Take

Any system loading PyTorch models with torch.load() — even with the supposedly safe weights_only=True flag — is vulnerable to remote code execution. Upgrade to torch >= 2.6.0 immediately; this is not optional. Treat all externally-sourced model files as untrusted inputs regardless of loading parameters until patched.

Risk Assessment

CRITICAL. CVSS 9.8 with no-auth, network-reachable, zero-user-interaction attack path. The amplifying factor is deception: weights_only=True was the documented secure practice, so teams that followed security guidance are still exposed. Attack surface is enormous — model hubs, CI/CD pipelines pulling pre-trained weights, inference servers, and any MLOps workflow that loads .pt/.pth files. EPSS of 1.2% is low today but PoC development is predictable given the high-profile nature of the bypass.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
pytorch	pip	—	No patch
99.6K OpenSSF 6.4 21.7K dependents Pushed 6d ago 8% patched ~142d to patch Full package profile →
torch	pip	< 2.6.0	`2.6.0`
99.6K OpenSSF 6.4 21.7K dependents Pushed 6d ago 8% patched ~142d to patch Full package profile →

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

1.2%

chance of exploitation in 30 days

Higher than 79% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

Recommended Action

6 steps

PATCH

Upgrade torch to >= 2.6.0 immediately (pip install --upgrade torch).
INVENTORY

Identify all code paths using torch.load() — grep codebase for 'torch.load'.
VALIDATE MODEL PROVENANCE

Implement cryptographic signing/verification of model artifacts before loading (e.g., model card checksums from official sources).
SANDBOX

Run model loading in isolated containers/VMs with no network egress and minimal filesystem access.
DETECT

Alert on unexpected network connections or subprocess spawns from model serving processes.
INTERIM WORKAROUND (if patching is delayed): Only load models from cryptographically verified, internal-only sources and block external model downloads at the network level.

CISA SSVC Assessment

Decision Track*

Exploitation none

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Framework Model Inference AML.T0002.001 - Models AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0058 - Publish Poisoned Models AML.T0072 - Reverse Shell

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 17 - Quality management system Article 9 - Risk management system for high-risk AI

ISO 42001

A.6.2.6 - AI supply chain security A.8.4 - AI system risk management during deployment

NIST AI RMF

GOVERN 1.1 - Policies and processes for AI risk MEASURE 2.5 - Risk metrics for AI components and dependencies

OWASP LLM Top 10

LLM03 - Training Data Poisoning / Supply Chain

Frequently Asked Questions

What is CVE-2025-32434?

Any system loading PyTorch models with torch.load() — even with the supposedly safe weights_only=True flag — is vulnerable to remote code execution. Upgrade to torch >= 2.6.0 immediately; this is not optional. Treat all externally-sourced model files as untrusted inputs regardless of loading parameters until patched.

Is CVE-2025-32434 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-32434, increasing the risk of exploitation.

How to fix CVE-2025-32434?

1. PATCH: Upgrade torch to >= 2.6.0 immediately (pip install --upgrade torch). 2. INVENTORY: Identify all code paths using torch.load() — grep codebase for 'torch.load'. 3. VALIDATE MODEL PROVENANCE: Implement cryptographic signing/verification of model artifacts before loading (e.g., model card checksums from official sources). 4. SANDBOX: Run model loading in isolated containers/VMs with no network egress and minimal filesystem access. 5. DETECT: Alert on unexpected network connections or subprocess spawns from model serving processes. 6. INTERIM WORKAROUND (if patching is delayed): Only load models from cryptographically verified, internal-only sources and block external model downloads at the network level.

What systems are affected by CVE-2025-32434?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, transfer learning workflows, MLOps CI/CD pipelines, model registries and hubs.

What is the CVSS score for CVE-2025-32434?

CVE-2025-32434 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 1.22%.

Technical Details

NVD Description

PyTorch is a Python package that provides tensor computation with strong GPU acceleration and deep neural networks built on a tape-based autograd system. In version 2.5.1 and prior, a Remote Command Execution (RCE) vulnerability exists in PyTorch when loading a model using torch.load with weights_only=True. This issue has been patched in version 2.6.0.

Exploitation Scenario

Adversary publishes a malicious PyTorch model to a public hub (HuggingFace, GitHub, Kaggle) — either a novel model or a trojanized version of a popular one (BERT, Llama, ResNet). A data scientist or MLOps pipeline downloads and loads it with torch.load(model_path, weights_only=True), trusting the flag provides safety. The crafted serialization payload bypasses the weights_only restriction, executing arbitrary Python during deserialization. Adversary achieves RCE on the inference server or training node, establishes persistence, and pivots to access training data, model IP, cloud credentials, or connected infrastructure. In a model-serving context exposed via API, the attack may be remotely triggerable without requiring the victim to manually download anything.