CVE-2025-55553 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

PyTorch 2.7.0 contains a network-exploitable DoS in proxy_tensor.py requiring zero authentication and trivial complexity—any ML inference or training service running this version and reachable over a network can be remotely crashed. Audit all PyTorch deployments for version 2.7.0 immediately and apply the upstream patch (PR #154645) or downgrade to 2.6.x until a patched release is available. Prioritize internet-facing model serving endpoints.

Risk Assessment

High risk for organizations with PyTorch 2.7.0 in network-accessible deployments. CVSS 7.5 reflects the zero-auth, low-complexity, unauthenticated network attack vector with full availability impact. proxy_tensor.py is integral to torch.compile and FX graph tracing—core to modern optimized inference pipelines. No confidentiality or integrity impact reduces severity somewhat, but a sustained DoS against production AI inference endpoints can cascade into service-wide failures for any application depending on ML model outputs.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
pytorch	pip	—	No patch
99.8K OpenSSF 6.4 21.9K dependents Pushed today 8% patched ~142d to patch Full package profile →

Do you use pytorch? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 16% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

6 steps

Audit all environments (prod, staging, CI/CD) for PyTorch 2.7.0 usage across training, serving, and data pipelines.
Apply upstream patch from github.com/pytorch/pytorch/pull/154645 or downgrade to PyTorch 2.6.x until an official patched 2.7.x build is published.
Network-segment ML serving endpoints—restrict direct internet exposure; route through authenticated API gateways.
Implement process health-check monitoring with auto-restart for inference workers to minimize MTTR if triggered.
Add rate limiting and anomaly detection on ML API inputs to slow or detect exploitation attempts.
Pin dependency versions in requirements.txt/pyproject.toml and enforce via supply chain controls (Dependabot, pip-audit).

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Supply Chain Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.2 - AI Risk Assessment and Treatment

NIST AI RMF

MANAGE-2.4 - Residual Risks from AI Components

OWASP LLM Top 10

LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-55553?

PyTorch 2.7.0 contains a network-exploitable DoS in proxy_tensor.py requiring zero authentication and trivial complexity—any ML inference or training service running this version and reachable over a network can be remotely crashed. Audit all PyTorch deployments for version 2.7.0 immediately and apply the upstream patch (PR #154645) or downgrade to 2.6.x until a patched release is available. Prioritize internet-facing model serving endpoints.

Is CVE-2025-55553 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-55553, increasing the risk of exploitation.

How to fix CVE-2025-55553?

1. Audit all environments (prod, staging, CI/CD) for PyTorch 2.7.0 usage across training, serving, and data pipelines. 2. Apply upstream patch from github.com/pytorch/pytorch/pull/154645 or downgrade to PyTorch 2.6.x until an official patched 2.7.x build is published. 3. Network-segment ML serving endpoints—restrict direct internet exposure; route through authenticated API gateways. 4. Implement process health-check monitoring with auto-restart for inference workers to minimize MTTR if triggered. 5. Add rate limiting and anomaly detection on ML API inputs to slow or detect exploitation attempts. 6. Pin dependency versions in requirements.txt/pyproject.toml and enforce via supply chain controls (Dependabot, pip-audit).

What systems are affected by CVE-2025-55553?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, inference optimization pipelines, MLOps platforms.

What is the CVSS score for CVE-2025-55553?

CVE-2025-55553 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.05%.

Technical Details

NVD Description

A syntax error in the component proxy_tensor.py of pytorch v2.7.0 allows attackers to cause a Denial of Service (DoS).

Exploitation Scenario

An adversary identifies a target running PyTorch 2.7.0-based model serving—discoverable via HTTP headers, job postings, or open-source CI configs. They craft a malformed tensor or API request that routes through the proxy_tensor.py code path during model tracing or compilation, triggering the syntax error as an uncaught exception that crashes the serving process. With AV:N/AC:L/PR:N/UI:N, no setup is required beyond network reachability. The attacker loops the request to maintain continuous DoS, taking the inference service offline and disrupting any dependent business processes. Secondary impact includes potential SLA violations and forcing engineers to triage and restart services under pressure.