AI Threat Alert AI Threat Alert

CVE-2025-54950: ExecuTorch: OOB read in model loader enables RCE

GHSA-f9hx-c6jf-3qxm CRITICAL PoC AVAILABLE CISA: TRACK*
Published August 8, 2025
CISO Take

ExecuTorch's model parser has an out-of-bounds read during deserialization that can crash the runtime or achieve remote code execution—no authentication or user interaction required (CVSS 9.8). Any mobile, edge, or Android AI deployment loading ExecuTorch models from externally-controlled sources is directly at risk. Upgrade to 0.7.0 immediately and enforce cryptographically verified model provenance before loading.

Risk Assessment

CVSS 9.8 (Critical) with network-accessible attack vector, zero privileges required, and zero user interaction makes this a maximum-severity patch target. EPSS of 0.2% suggests no active exploitation observed yet, which likely reflects ExecuTorch's specialized deployment profile rather than low exploitability—the OOB primitive is straightforward once a malicious model file is delivered. Risk is amplified in edge AI and mobile contexts where EDR/NDR coverage is absent and model update cycles are slower than traditional software. Organizations with MLOps pipelines pulling models from external registries or public model hubs face the highest exposure.

Affected Systems

Package Ecosystem Vulnerable Range Patched
executorch pip < 0.7.0 0.7.0
4.6K 2 dependents Pushed 6d ago 92% patched ~64d to patch Full package profile →
executorch pip < 0.7.0 0.7.0
4.6K 2 dependents Pushed 6d ago 92% patched ~64d to patch Full package profile →
org.pytorch:executorch-android maven < 0.7.0 0.7.0

Severity & Risk

CVSS 3.1
9.8 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 55% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

Recommended Action

5 steps

  1. PATCH

    Upgrade to ExecuTorch 0.7.0 (pip: pip install executorch>=0.7.0; Maven: org.pytorch:executorch-android:0.7.0). Apply patch commit fb03b6f85596a8f954d97929075335255b6a58d4 if building from source.

  2. MODEL PROVENANCE

    Load only models signed with a key under your control. Never load model files from user-supplied URLs, third-party repositories, or unverified model hubs. Implement hash verification (SHA-256) for all model artifacts in CI/CD.

  3. ISOLATION

    Sandbox the ExecuTorch runtime process with minimal OS privileges (seccomp, SELinux, or containerization) to contain blast radius of exploitation.

  4. DETECTION

    Monitor inference service processes for abnormal crashes, OOM errors, or unexpected child process spawning. Audit model loading code paths for any dynamic or network-sourced model paths.

  5. MOBILE

    Push an emergency app update for Android apps using the vulnerable Maven artifact; do not rely on user-initiated updates for a CVSS 9.8 RCE.

CISA SSVC Assessment

Decision Track*
Exploitation none
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Framework Model Inference AML.T0010.001 AML.T0011.000 AML.T0018.002 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2 - AI System Risk Management
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain, maintain, and improve AI system trustworthiness
OWASP LLM Top 10
LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-54950?

ExecuTorch's model parser has an out-of-bounds read during deserialization that can crash the runtime or achieve remote code execution—no authentication or user interaction required (CVSS 9.8). Any mobile, edge, or Android AI deployment loading ExecuTorch models from externally-controlled sources is directly at risk. Upgrade to 0.7.0 immediately and enforce cryptographically verified model provenance before loading.

Is CVE-2025-54950 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-54950, increasing the risk of exploitation.

How to fix CVE-2025-54950?

1. PATCH: Upgrade to ExecuTorch 0.7.0 (pip: `pip install executorch>=0.7.0`; Maven: `org.pytorch:executorch-android:0.7.0`). Apply patch commit fb03b6f85596a8f954d97929075335255b6a58d4 if building from source. 2. MODEL PROVENANCE: Load only models signed with a key under your control. Never load model files from user-supplied URLs, third-party repositories, or unverified model hubs. Implement hash verification (SHA-256) for all model artifacts in CI/CD. 3. ISOLATION: Sandbox the ExecuTorch runtime process with minimal OS privileges (seccomp, SELinux, or containerization) to contain blast radius of exploitation. 4. DETECTION: Monitor inference service processes for abnormal crashes, OOM errors, or unexpected child process spawning. Audit model loading code paths for any dynamic or network-sourced model paths. 5. MOBILE: Push an emergency app update for Android apps using the vulnerable Maven artifact; do not rely on user-initiated updates for a CVSS 9.8 RCE.

What systems are affected by CVE-2025-54950?

This vulnerability affects the following AI/ML architecture patterns: edge AI inference, mobile ML deployment, on-device model serving, Android AI applications, MLOps model loading pipelines.

What is the CVSS score for CVE-2025-54950?

CVE-2025-54950 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.32%.

Technical Details

NVD Description

An out-of-bounds access vulnerability in the loading of ExecuTorch models can cause the runtime to crash and potentially result in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit fb03b6f85596a8f954d97929075335255b6a58d4.

Exploitation Scenario

An adversary crafts a malicious ExecuTorch model file (.pte) with a manipulated flatbuffer header or tensor metadata structure designed to cause the deserializer to read memory beyond allocated buffer bounds. The attacker distributes this file via a typosquatted model package on PyPI or Maven Central, a compromised internal model registry, or social engineering targeting an MLOps engineer into pulling a 'benchmark model' from an attacker-controlled URL. When the application calls the model loader, the out-of-bounds read is triggered—at minimum crashing the inference service (reliable DoS), and in favorable memory layouts, allowing the adversary to control execution flow and achieve RCE within the application process. On Android, successful exploitation yields code execution at the app's UID, potentially accessing tokens, on-device model weights, and sensitive inference data.

Weaknesses (CWE)

CWE-125 Out-of-bounds Read Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
August 8, 2025
Last Modified
October 6, 2025
First Seen
March 24, 2026

Related Vulnerabilities

CRITICAL CVE-2025-30404 9.8

ExecuTorch: integer overflow RCE on model load

Same package: executorch
CRITICAL CVE-2025-30405 9.8

ExecuTorch: integer overflow in model load → RCE

Same package: executorch
CRITICAL CVE-2025-54949 9.8

ExecuTorch: heap buffer overflow RCE via model loading

Same package: executorch
CRITICAL CVE-2025-54951 9.8

ExecuTorch: heap buffer overflow RCE in model loading

Same package: executorch
HIGH CVE-2025-30402 8.1

ExecuTorch: heap overflow in method load, RCE risk

Same package: executorch
Back to Threat Feed