CVE-2025-54951 — CRITICAL (CVSS 9.8) AI Security Vulnerability

CISO Take

Any application loading ExecuTorch models from untrusted or remote sources is potentially vulnerable to unauthenticated RCE — no user interaction required. Update to ExecuTorch 0.7.0 immediately across pip and Maven dependencies. Prioritize Android deployments using org.pytorch:executorch-android and audit all model delivery pipelines for integrity controls.

Risk Assessment

CVSS 9.8 reflects the worst-case vector: network-reachable, zero complexity, no privileges, no interaction. Real-world exploitability hinges on whether the application loads models from attacker-influenced sources — CDNs, model hubs, or OTA update channels. EPSS at 0.17% indicates no confirmed active exploitation, but the attack surface is large given ExecuTorch's adoption across production Android and edge AI deployments. A working exploit requires crafting a malicious model file, placing the bar at moderate sophistication — but once crafted, delivery is trivial through compromised model distribution channels.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
executorch	pip	< 0.7.0	`0.7.0`
4.6K 2 dependents Pushed 6d ago 92% patched ~64d to patch Full package profile →
executorch	pip	< 0.7.0	`0.7.0`
4.6K 2 dependents Pushed 6d ago 92% patched ~64d to patch Full package profile →
org.pytorch:executorch-android	maven	< 0.7.0	`0.7.0`

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 51% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

Recommended Action

6 steps

Patch: upgrade to ExecuTorch 0.7.0 (pip install executorch>=0.7.0; Maven: org.pytorch:executorch-android:0.7.0).
If immediate patching is blocked, restrict model loading to cryptographically signed artifacts from verified, controlled sources only — reject any unsigned or externally sourced models.
Implement model file integrity verification (SHA-256 + signature check) before loading in all environments.
For Android apps, audit OTA model update mechanisms for tamper resistance.
Monitor for anomalous crashes or memory faults in inference processes as an exploitation indicator.
Review transitive dependencies in ML serving stacks that bundle ExecuTorch.

CISA SSVC Assessment

Decision Track*

Exploitation none

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Framework Model Inference AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.10.1 - AI system security

NIST AI RMF

MANAGE 2.2 - Risk treatments including response plans are maintained

OWASP LLM Top 10

LLM03 - Supply Chain

Frequently Asked Questions

What is CVE-2025-54951?

Any application loading ExecuTorch models from untrusted or remote sources is potentially vulnerable to unauthenticated RCE — no user interaction required. Update to ExecuTorch 0.7.0 immediately across pip and Maven dependencies. Prioritize Android deployments using org.pytorch:executorch-android and audit all model delivery pipelines for integrity controls.

Is CVE-2025-54951 actively exploited?

No confirmed active exploitation of CVE-2025-54951 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-54951?

1. Patch: upgrade to ExecuTorch 0.7.0 (`pip install executorch>=0.7.0`; Maven: org.pytorch:executorch-android:0.7.0). 2. If immediate patching is blocked, restrict model loading to cryptographically signed artifacts from verified, controlled sources only — reject any unsigned or externally sourced models. 3. Implement model file integrity verification (SHA-256 + signature check) before loading in all environments. 4. For Android apps, audit OTA model update mechanisms for tamper resistance. 5. Monitor for anomalous crashes or memory faults in inference processes as an exploitation indicator. 6. Review transitive dependencies in ML serving stacks that bundle ExecuTorch.

What systems are affected by CVE-2025-54951?

This vulnerability affects the following AI/ML architecture patterns: mobile edge inference, on-device model serving, model delivery and OTA update pipelines, Android ML applications, edge AI deployment pipelines.

What is the CVSS score for CVE-2025-54951?

CVE-2025-54951 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.27%.

Technical Details

NVD Description

A group of related buffer overflow vulnerabilities in the loading of ExecuTorch models can cause the runtime to crash and potentially result in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit cea9b23aa8ff78aff92829a466da97461cc7930c.

Exploitation Scenario

An adversary targets an Android application that fetches ExecuTorch models from a third-party CDN or public model hub. They publish a trojanized .pte model file crafted to trigger a heap overflow in ExecuTorch's model loader. The application, running ExecuTorch < 0.7.0, pulls the malicious model during its routine update cycle and loads it. During deserialization, the overflow corrupts adjacent heap memory, hijacking execution flow within the app process. On Android, this yields code execution in the app's sandbox — enabling exfiltration of user data, credentials stored in the app, or further exploitation of device APIs. No user interaction is required beyond the app performing its normal model refresh.