AI Threat Alert

CVE-2025-55553: PyTorch 2.7.0: DoS via proxy_tensor.py syntax error

HIGH PoC AVAILABLE CISA: TRACK*
Published September 25, 2025
CISO Take

PyTorch 2.7.0 contains a network-exploitable DoS in proxy_tensor.py requiring zero authentication and trivial complexity—any ML inference or training service running this version and reachable over a network can be remotely crashed. Audit all PyTorch deployments for version 2.7.0 immediately and apply the upstream patch (PR #154645) or downgrade to 2.6.x until a patched release is available. Prioritize internet-facing model serving endpoints.

What is the risk?

High risk for organizations with PyTorch 2.7.0 in network-accessible deployments. CVSS 7.5 reflects the zero-auth, low-complexity, unauthenticated network attack vector with full availability impact. proxy_tensor.py is integral to torch.compile and FX graph tracing—core to modern optimized inference pipelines. No confidentiality or integrity impact reduces severity somewhat, but a sustained DoS against production AI inference endpoints can cascade into service-wide failures for any application depending on ML model outputs.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
PyTorch pip No patch
100.9K OpenSSF 6.4 22.7K dependents Pushed 3d ago 11% patched ~216d to patch Full package profile →

Do you use PyTorch? You're affected.

How severe is it?

CVSS 3.1
7.5 / 10
EPSS
0.4%
chance of exploitation in 30 days
Higher than 30% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I None
A High

What should I do?

6 steps

  1. Audit all environments (prod, staging, CI/CD) for PyTorch 2.7.0 usage across training, serving, and data pipelines.

  2. Apply upstream patch from github.com/pytorch/pytorch/pull/154645 or downgrade to PyTorch 2.6.x until an official patched 2.7.x build is published.

  3. Network-segment ML serving endpoints—restrict direct internet exposure; route through authenticated API gateways.

  4. Implement process health-check monitoring with auto-restart for inference workers to minimize MTTR if triggered.

  5. Add rate limiting and anomaly detection on ML API inputs to slow or detect exploitation attempts.

  6. Pin dependency versions in requirements.txt/pyproject.toml and enforce via supply chain controls (Dependabot, pip-audit).

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Supply Chain Framework Inference AML.T0010.001 AML.T0029 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, Robustness and Cybersecurity
ISO 42001
A.6.2 - AI Risk Assessment and Treatment
NIST AI RMF
MANAGE-2.4 - Residual Risks from AI Components
OWASP LLM Top 10
LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-55553?

PyTorch 2.7.0 contains a network-exploitable DoS in proxy_tensor.py requiring zero authentication and trivial complexity—any ML inference or training service running this version and reachable over a network can be remotely crashed. Audit all PyTorch deployments for version 2.7.0 immediately and apply the upstream patch (PR #154645) or downgrade to 2.6.x until a patched release is available. Prioritize internet-facing model serving endpoints.

Is CVE-2025-55553 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-55553, increasing the risk of exploitation.

How to fix CVE-2025-55553?

1. Audit all environments (prod, staging, CI/CD) for PyTorch 2.7.0 usage across training, serving, and data pipelines. 2. Apply upstream patch from github.com/pytorch/pytorch/pull/154645 or downgrade to PyTorch 2.6.x until an official patched 2.7.x build is published. 3. Network-segment ML serving endpoints—restrict direct internet exposure; route through authenticated API gateways. 4. Implement process health-check monitoring with auto-restart for inference workers to minimize MTTR if triggered. 5. Add rate limiting and anomaly detection on ML API inputs to slow or detect exploitation attempts. 6. Pin dependency versions in requirements.txt/pyproject.toml and enforce via supply chain controls (Dependabot, pip-audit).

What systems are affected by CVE-2025-55553?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, inference optimization pipelines, MLOps platforms.

What is the CVSS score for CVE-2025-55553?

CVE-2025-55553 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.38%.

What is the AI security impact?

Affected AI Architectures

model servingtraining pipelinesinference optimization pipelinesMLOps platforms

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0029 Denial of AI Service
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: A.6.2
NIST AI RMF: MANAGE-2.4
OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

A syntax error in the component proxy_tensor.py of pytorch v2.7.0 allows attackers to cause a Denial of Service (DoS).

Exploitation Scenario

An adversary identifies a target running PyTorch 2.7.0-based model serving—discoverable via HTTP headers, job postings, or open-source CI configs. They craft a malformed tensor or API request that routes through the proxy_tensor.py code path during model tracing or compilation, triggering the syntax error as an uncaught exception that crashes the serving process. With AV:N/AC:L/PR:N/UI:N, no setup is required beyond network reachability. The attacker loops the request to maintain continuous DoS, taking the inference service offline and disrupting any dependent business processes. Secondary impact includes potential SLA violations and forcing engineers to triage and restart services under pressure.

Weaknesses (CWE)

CWE-248 Uncaught Exception

CWE-248 — Uncaught Exception: An exception is thrown from a function, but it is not caught.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
September 25, 2025
Last Modified
October 3, 2025
First Seen
September 25, 2025

Related Vulnerabilities

CRITICAL CVE-2024-5452 9.8

pytorch-lightning: RCE via deepdiff Delta deserialization

Same package: torch
CRITICAL CVE-2023-43654 9.8

TorchServe: SSRF + RCE via unrestricted model URL loading

Same package: torch
CRITICAL CVE-2022-45907 9.8

PyTorch: RCE via unsafe eval in JIT annotations

Same package: torch
CRITICAL CVE-2022-0845 9.8

pytorch-lightning: code injection enables full RCE

Same package: torch
CRITICAL CVE-2024-35198 9.8

TorchServe: URL bypass enables arbitrary model loading

Same package: torch
Back to Threat Feed