CVE-2025-54949 — CRITICAL (CVSS 9.8) AI Security Vulnerability

Q: Is CVE-2025-54949 actively exploited?

No confirmed active exploitation of CVE-2025-54949 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2025-54949?

1. Patch immediately: upgrade to ExecuTorch 0.7.0 (pip, maven, source). The fix is in commit ede82493dae6d2d43f8c424e7be4721abe5242be. 2. Restrict model sources: enforce allowlisting of model origins — only load models from internally signed and checksummed sources. 3. Implement model integrity verification: SHA-256 checksums and code-signing for all model artifacts before loading. 4. Audit CI/CD and MLOps pipelines: identify any automated step that pulls ExecuTorch models from external registries (HuggingFace Hub, S3, CDNs). 5. Container and mobile scanning: scan Android APKs and Docker images for bundled executorch versions < 0.7.0. 6. Detection: monitor for unexpected process spawns or memory anomalies originating from model loading processes.

Q: What systems are affected by CVE-2025-54949?

This vulnerability affects the following AI/ML architecture patterns: Edge inference (on-device ML), Mobile AI deployment (Android), Model serving pipelines, MLOps/CI model loading pipelines, AI supply chain / model registries.

Q: What is the CVSS score for CVE-2025-54949?

CVE-2025-54949 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.27%.

CISO Take

Any system loading ExecuTorch model files from untrusted or external sources is exposed to remote code execution — CVSS 9.8, no authentication or user interaction required. Patch to ExecuTorch 0.7.0 immediately and audit every pipeline or mobile app that ingests .pte model files. If patching is blocked, enforce strict model provenance controls as an interim control.

Risk Assessment

Critical severity. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates full network exploitability with no preconditions — trivial to trigger once a malicious model is delivered. EPSS is low (0.0017) suggesting no active mass exploitation yet, but this is a prime target for supply chain attacks given ExecuTorch's use in production mobile and edge AI deployments. Blast radius is significant: successful exploitation yields full process compromise on the device running inference.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
executorch	pip	< 0.7.0	`0.7.0`
4.6K 2 dependents Pushed today 92% patched ~64d to patch Full package profile →
executorch	pip	< 0.7.0	`0.7.0`
4.6K 2 dependents Pushed today 92% patched ~64d to patch Full package profile →
org.pytorch:executorch-android	maven	< 0.7.0	`0.7.0`

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 51% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

Recommended Action

6 steps

Patch immediately: upgrade to ExecuTorch 0.7.0 (pip, maven, source). The fix is in commit ede82493dae6d2d43f8c424e7be4721abe5242be.
Restrict model sources: enforce allowlisting of model origins — only load models from internally signed and checksummed sources.
Implement model integrity verification: SHA-256 checksums and code-signing for all model artifacts before loading.
Audit CI/CD and MLOps pipelines: identify any automated step that pulls ExecuTorch models from external registries (HuggingFace Hub, S3, CDNs).
Container and mobile scanning: scan Android APKs and Docker images for bundled executorch versions < 0.7.0.
Detection: monitor for unexpected process spawns or memory anomalies originating from model loading processes.

CISA SSVC Assessment

Decision Track*

Exploitation none

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Framework Model AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0049 - Exploit Public-Facing Application AML.T0058 - Publish Poisoned Models

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.4 - AI system security

NIST AI RMF

MANAGE 2.2 - Mechanisms to detect and respond to AI risks

OWASP LLM Top 10

LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-54949?

Any system loading ExecuTorch model files from untrusted or external sources is exposed to remote code execution — CVSS 9.8, no authentication or user interaction required. Patch to ExecuTorch 0.7.0 immediately and audit every pipeline or mobile app that ingests .pte model files. If patching is blocked, enforce strict model provenance controls as an interim control.

Is CVE-2025-54949 actively exploited?

No confirmed active exploitation of CVE-2025-54949 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-54949?

1. Patch immediately: upgrade to ExecuTorch 0.7.0 (pip, maven, source). The fix is in commit ede82493dae6d2d43f8c424e7be4721abe5242be. 2. Restrict model sources: enforce allowlisting of model origins — only load models from internally signed and checksummed sources. 3. Implement model integrity verification: SHA-256 checksums and code-signing for all model artifacts before loading. 4. Audit CI/CD and MLOps pipelines: identify any automated step that pulls ExecuTorch models from external registries (HuggingFace Hub, S3, CDNs). 5. Container and mobile scanning: scan Android APKs and Docker images for bundled executorch versions < 0.7.0. 6. Detection: monitor for unexpected process spawns or memory anomalies originating from model loading processes.

What systems are affected by CVE-2025-54949?

This vulnerability affects the following AI/ML architecture patterns: Edge inference (on-device ML), Mobile AI deployment (Android), Model serving pipelines, MLOps/CI model loading pipelines, AI supply chain / model registries.

What is the CVSS score for CVE-2025-54949?

CVE-2025-54949 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.27%.

Technical Details

NVD Description

A heap buffer overflow vulnerability in the loading of ExecuTorch models can potentially result in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit ede82493dae6d2d43f8c424e7be4721abe5242be

Exploitation Scenario

An adversary crafts a malicious ExecuTorch .pte model file that encodes a heap buffer overflow payload in its model structure. The attacker publishes this model to a public model repository (e.g., HuggingFace, GitHub Releases) or compromises an internal model registry. A target organization's MLOps pipeline or mobile app automatically downloads and loads the model for inference — triggering the overflow at parse time, before any inference logic executes. With CVSS AV:N and no authentication required, this scenario scales: a single poisoned model artifact can compromise every deployment that loads it. In mobile contexts, exploitation would yield arbitrary code execution within the app's sandbox.