CVE-2025-3730: PyTorch DoS — MEDIUM

Q: Is CVE-2025-3730 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-3730, increasing the risk of exploitation.

Q: How to fix CVE-2025-3730?

1. Patch: Upgrade torch to 2.8.0+ (patch commit 46fc5d8e). 2. Workaround if patching is deferred: enforce per-user process isolation in shared training environments via containers or VMs. 3. Apply cgroup/ulimit resource boundaries to training processes to limit crash blast radius. 4. In multi-tenant clusters, prohibit direct user access to shared PyTorch processes. 5. Detection: Alert on unexpected termination of training processes outside scheduled completion windows; monitor for torch process crashes correlated with ctc_loss workloads.

Q: What systems are affected by CVE-2025-3730?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, shared ML compute environments, notebook environments, CI/CD model training.

Q: What is the CVSS score for CVE-2025-3730?

CVE-2025-3730 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.27%.

CISO Take

A local denial-of-service vulnerability in PyTorch's CTC loss function allows low-privileged users to crash training processes — relevant primarily for shared ML compute environments like JupyterHub clusters or multi-user GPU servers. Production inference deployments are unaffected. Patch to torch 2.8.0+ during your next dependency cycle; no emergency response required.

What is the risk?

Low operational risk despite the medium CVSS score. The local attack vector (AV:L) eliminates remote exploitation, requiring existing system access. EPSS of 0.0005 confirms near-zero in-the-wild exploit activity, and PyTorch's own security team has questioned the CVE's existence. Highest exposure is in multi-tenant ML training infrastructure where untrusted users share a compute node. Containerized or single-tenant training environments face negligible risk.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
PyTorch	pip	—	No patch
100.9K OpenSSF 6.4 22.7K dependents Pushed 2d ago 11% patched ~216d to patch Full package profile →
PyTorch	pip	<= 2.7.1	`2.8.0`
100.9K OpenSSF 6.4 22.7K dependents Pushed 2d ago 11% patched ~216d to patch Full package profile →

How severe is it?

CVSS 3.1

5.5 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 18% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

What should I do?

5 steps

Patch: Upgrade torch to 2.8.0+ (patch commit 46fc5d8e).
Workaround if patching is deferred: enforce per-user process isolation in shared training environments via containers or VMs.
Apply cgroup/ulimit resource boundaries to training processes to limit crash blast radius.
In multi-tenant clusters, prohibit direct user access to shared PyTorch processes.
Detection: Alert on unexpected termination of training processes outside scheduled completion windows; monitor for torch process crashes correlated with ctc_loss workloads.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Framework AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk Management System

ISO 42001

A.6.2 - AI system operation and monitoring

NIST AI RMF

MANAGE 2.2 - Risk Treatment

Frequently Asked Questions

What is CVE-2025-3730?

A local denial-of-service vulnerability in PyTorch's CTC loss function allows low-privileged users to crash training processes — relevant primarily for shared ML compute environments like JupyterHub clusters or multi-user GPU servers. Production inference deployments are unaffected. Patch to torch 2.8.0+ during your next dependency cycle; no emergency response required.

Is CVE-2025-3730 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-3730, increasing the risk of exploitation.

How to fix CVE-2025-3730?

1. Patch: Upgrade torch to 2.8.0+ (patch commit 46fc5d8e). 2. Workaround if patching is deferred: enforce per-user process isolation in shared training environments via containers or VMs. 3. Apply cgroup/ulimit resource boundaries to training processes to limit crash blast radius. 4. In multi-tenant clusters, prohibit direct user access to shared PyTorch processes. 5. Detection: Alert on unexpected termination of training processes outside scheduled completion windows; monitor for torch process crashes correlated with ctc_loss workloads.

What systems are affected by CVE-2025-3730?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, shared ML compute environments, notebook environments, CI/CD model training.

What is the CVSS score for CVE-2025-3730?

CVE-2025-3730 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.27%.

What is the AI security impact?

Affected AI Architectures

training pipelinesshared ML compute environmentsnotebook environmentsCI/CD model training

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0029 Denial of AI Service

AML.T0034 Cost Harvesting

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: A.6.2

NIST AI RMF: MANAGE 2.2

What are the technical details?

Original Advisory

A vulnerability, which was classified as problematic, was found in PyTorch 2.6.0. Affected is the function torch.nn.functional.ctc_loss of the file aten/src/ATen/native/LossCTC.cpp. The manipulation leads to denial of service. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The name of the patch is 46fc5d8e360127361211cb237d5f9eef0223e567. It is recommended to apply a patch to fix this issue. The security policy of the project warns to use unknown models which might establish malicious effects.

Exploitation Scenario

A malicious data scientist on a shared GPU training server (e.g., a JupyterHub node) with a low-privileged account calls `torch.nn.functional.ctc_loss` with a crafted input that triggers the improper resource release bug. The PyTorch process crashes, immediately terminating any co-located training jobs sharing that process — including a colleague's 72-hour fine-tuning run. No external network access or elevated privileges required; attack is trivially repeatable to sustain disruption.

Weaknesses (CWE)

CWE-404 Improper Resource Shutdown or Release Primary CWE-404 Improper Resource Shutdown or Release

CWE-404 — Improper Resource Shutdown or Release: The product does not release or incorrectly releases a resource before it is made available for re-use.

[Requirements] Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, languages such as Java, Ruby, and Lisp perform automatic garbage collection that releases memory for objects that have been deallocated.
[Implementation] It is good practice to be responsible for freeing all resources you allocate and to be consistent with how and where you free memory in a function. If you allocate memory that you intend to free upon completion of the function, you must be sure to free the memory at all exit points for that function including error conditions.

Source: MITRE CWE corpus.