CVE-2025-3730 — MEDIUM (CVSS 5.5) AI Security Vulnerability

Q: Is CVE-2025-3730 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-3730, increasing the risk of exploitation.

Q: How to fix CVE-2025-3730?

1. Patch: Upgrade torch to 2.8.0+ (patch commit 46fc5d8e). 2. Workaround if patching is deferred: enforce per-user process isolation in shared training environments via containers or VMs. 3. Apply cgroup/ulimit resource boundaries to training processes to limit crash blast radius. 4. In multi-tenant clusters, prohibit direct user access to shared PyTorch processes. 5. Detection: Alert on unexpected termination of training processes outside scheduled completion windows; monitor for torch process crashes correlated with ctc_loss workloads.

Q: What systems are affected by CVE-2025-3730?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, shared ML compute environments, notebook environments, CI/CD model training.

Q: What is the CVSS score for CVE-2025-3730?

CVE-2025-3730 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.05%.

CISO Take

A local denial-of-service vulnerability in PyTorch's CTC loss function allows low-privileged users to crash training processes — relevant primarily for shared ML compute environments like JupyterHub clusters or multi-user GPU servers. Production inference deployments are unaffected. Patch to torch 2.8.0+ during your next dependency cycle; no emergency response required.

Risk Assessment

Low operational risk despite the medium CVSS score. The local attack vector (AV:L) eliminates remote exploitation, requiring existing system access. EPSS of 0.0005 confirms near-zero in-the-wild exploit activity, and PyTorch's own security team has questioned the CVE's existence. Highest exposure is in multi-tenant ML training infrastructure where untrusted users share a compute node. Containerized or single-tenant training environments face negligible risk.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
pytorch	pip	—	No patch
99.6K OpenSSF 6.4 21.7K dependents Pushed 6d ago 8% patched ~142d to patch Full package profile →
torch	pip	<= 2.7.1	`2.8.0`
99.6K OpenSSF 6.4 21.7K dependents Pushed 6d ago 8% patched ~142d to patch Full package profile →

Severity & Risk

CVSS 3.1

5.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 15% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Patch: Upgrade torch to 2.8.0+ (patch commit 46fc5d8e).
Workaround if patching is deferred: enforce per-user process isolation in shared training environments via containers or VMs.
Apply cgroup/ulimit resource boundaries to training processes to limit crash blast radius.
In multi-tenant clusters, prohibit direct user access to shared PyTorch processes.
Detection: Alert on unexpected termination of training processes outside scheduled completion windows; monitor for torch process crashes correlated with ctc_loss workloads.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk Management System

ISO 42001

A.6.2 - AI system operation and monitoring

NIST AI RMF

MANAGE 2.2 - Risk Treatment

Frequently Asked Questions

What is CVE-2025-3730?

A local denial-of-service vulnerability in PyTorch's CTC loss function allows low-privileged users to crash training processes — relevant primarily for shared ML compute environments like JupyterHub clusters or multi-user GPU servers. Production inference deployments are unaffected. Patch to torch 2.8.0+ during your next dependency cycle; no emergency response required.

Is CVE-2025-3730 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-3730, increasing the risk of exploitation.

How to fix CVE-2025-3730?

1. Patch: Upgrade torch to 2.8.0+ (patch commit 46fc5d8e). 2. Workaround if patching is deferred: enforce per-user process isolation in shared training environments via containers or VMs. 3. Apply cgroup/ulimit resource boundaries to training processes to limit crash blast radius. 4. In multi-tenant clusters, prohibit direct user access to shared PyTorch processes. 5. Detection: Alert on unexpected termination of training processes outside scheduled completion windows; monitor for torch process crashes correlated with ctc_loss workloads.

What systems are affected by CVE-2025-3730?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, shared ML compute environments, notebook environments, CI/CD model training.

What is the CVSS score for CVE-2025-3730?

CVE-2025-3730 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.05%.

Technical Details

NVD Description

A vulnerability, which was classified as problematic, was found in PyTorch 2.6.0. Affected is the function torch.nn.functional.ctc_loss of the file aten/src/ATen/native/LossCTC.cpp. The manipulation leads to denial of service. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The name of the patch is 46fc5d8e360127361211cb237d5f9eef0223e567. It is recommended to apply a patch to fix this issue. The security policy of the project warns to use unknown models which might establish malicious effects.

Exploitation Scenario

A malicious data scientist on a shared GPU training server (e.g., a JupyterHub node) with a low-privileged account calls `torch.nn.functional.ctc_loss` with a crafted input that triggers the improper resource release bug. The PyTorch process crashes, immediately terminating any co-located training jobs sharing that process — including a colleague's 72-hour fine-tuning run. No external network access or elevated privileges required; attack is trivially repeatable to sustain disruption.