AI Threat Alert
CVE-2025-46148: PyTorch: PairwiseDistance silent miscalculation, integrity risk
MEDIUMPyTorch's nn.PairwiseDistance(p=2) silently returns wrong results in eager mode (the default) through v2.6.0, with no exception raised. Any pipeline using Euclidean distance for authentication, anomaly detection, or similarity search may produce silently wrong decisions. Audit affected systems immediately and pin upgrades to a patched release once available; as an interim workaround replace calls with torch.cdist or a manual L2 implementation.
What is the risk?
Medium risk, but deceptive: the CVSS vector (AV:N/AC:L/PR:N/UI:N) means any remote caller can trigger the faulty code path with no privileges, and the silent nature of the miscalculation is the real danger. Systems will continue operating while producing wrong distance outputs, making this harder to detect than a crash. Highest risk is in distance-based security controls (biometric verification, similarity-based fraud detection, anomaly detection thresholds) where a wrong distance value can flip a binary allow/deny decision.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| PyTorch | pip | — | No patch |
Do you use PyTorch? You're affected.
How severe is it?
What is the attack surface?
What should I do?
5 steps-
PATCH
Upgrade PyTorch once a fixed release beyond 2.6.0 is available; track https://github.com/pytorch/pytorch/pull/152993 for merge status.
-
WORKAROUND (immediate): Replace nn.PairwiseDistance(p=2) with torch.cdist(a.unsqueeze(0), b.unsqueeze(0), p=2) or an explicit manual sqrt(((a-b)**2).sum(dim=-1)); both produce correct results.
-
AUDIT
Search codebase for all usages of nn.PairwiseDistance; flag any use in security-critical decision paths (auth, fraud, anomaly detection).
-
DETECT
Add regression tests asserting nn.PairwiseDistance output equals torch.cdist output for the same inputs; CI will catch regressions on upgrade.
-
VALIDATE
For deployed models, run shadow comparison of old vs. workaround output on production traffic to assess decision drift.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2025-46148?
PyTorch's nn.PairwiseDistance(p=2) silently returns wrong results in eager mode (the default) through v2.6.0, with no exception raised. Any pipeline using Euclidean distance for authentication, anomaly detection, or similarity search may produce silently wrong decisions. Audit affected systems immediately and pin upgrades to a patched release once available; as an interim workaround replace calls with torch.cdist or a manual L2 implementation.
Is CVE-2025-46148 actively exploited?
No confirmed active exploitation of CVE-2025-46148 has been reported, but organizations should still patch proactively.
How to fix CVE-2025-46148?
1. PATCH: Upgrade PyTorch once a fixed release beyond 2.6.0 is available; track https://github.com/pytorch/pytorch/pull/152993 for merge status. 2. WORKAROUND (immediate): Replace nn.PairwiseDistance(p=2) with torch.cdist(a.unsqueeze(0), b.unsqueeze(0), p=2) or an explicit manual sqrt(((a-b)**2).sum(dim=-1)); both produce correct results. 3. AUDIT: Search codebase for all usages of nn.PairwiseDistance; flag any use in security-critical decision paths (auth, fraud, anomaly detection). 4. DETECT: Add regression tests asserting nn.PairwiseDistance output equals torch.cdist output for the same inputs; CI will catch regressions on upgrade. 5. VALIDATE: For deployed models, run shadow comparison of old vs. workaround output on production traffic to assess decision drift.
What systems are affected by CVE-2025-46148?
This vulnerability affects the following AI/ML architecture patterns: embedding similarity pipelines, biometric authentication systems, anomaly detection models, metric learning / Siamese networks, recommendation systems, training pipelines using contrastive loss.
What is the CVSS score for CVE-2025-46148?
CVE-2025-46148 has a CVSS v3.1 base score of 5.3 (MEDIUM). The EPSS exploitation probability is 0.37%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0001 Search Open AI Vulnerability Analysis AML.T0010.001 AI Software AML.T0015 Evade AI Model AML.T0043.003 Manual Modification Compliance Controls Affected
What are the technical details?
Original Advisory
In PyTorch through 2.6.0, when eager is used, nn.PairwiseDistance(p=2) produces incorrect results.
Exploitation Scenario
An adversary who knows about the miscalculation behavior (publicly documented in the GitHub issue and gist PoCs) targets a biometric authentication API backed by a PyTorch similarity model using nn.PairwiseDistance(p=2) in eager mode. They probe the API to characterize the gap between correct and incorrect distance values, then craft a facial embedding vector that the buggy implementation computes as within the acceptance threshold while the true L2 distance would reject it. Because no exception is raised and the system logs a normal 'accepted' decision, the bypass goes undetected. The same technique applies to anomaly detection systems where a malicious payload embedding is crafted to appear 'normal' under the faulty distance metric.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References
Timeline
Related Vulnerabilities
CVE-2024-5452 9.8 pytorch-lightning: RCE via deepdiff Delta deserialization
Same package: torch CVE-2022-0845 9.8 pytorch-lightning: code injection enables full RCE
Same package: torch CVE-2023-43654 9.8 TorchServe: SSRF + RCE via unrestricted model URL loading
Same package: torch CVE-2022-45907 9.8 PyTorch: RCE via unsafe eval in JIT annotations
Same package: torch CVE-2024-35198 9.8 TorchServe: URL bypass enables arbitrary model loading
Same package: torch