CVE-2025-55557 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

PyTorch 2.7.0 crashes with an uncaught NameError when any model using torch.cummin is compiled through the Inductor backend—no authentication or privileges required to trigger it. Any production ML serving endpoint accepting compiled models, or any training pipeline using torch.compile on affected architectures, is exposed to remote availability disruption. Immediate action: pin to a patched build (PR #151931) or disable Inductor compilation for models containing torch.cummin operations.

Risk Assessment

High exploitability: CVSS 7.5, network-accessible, zero authentication, low complexity—attacker only needs to influence a model definition or submit a crafted model to a serving endpoint. Impact is purely availability (A:H), no confidentiality or integrity risk. Blast radius is bounded to PyTorch 2.7.0 with Inductor-compiled models, but that version was just released and many teams will be on it. Shared ML platforms, MLaaS APIs, and CI/CD pipelines running automated torch.compile are the highest-risk environments.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
pytorch	pip	—	No patch
99.8K OpenSSF 6.4 21.9K dependents Pushed today 8% patched ~142d to patch Full package profile →

Do you use pytorch? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 16% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

PATCH

Apply PR #151931 once merged into a stable PyTorch release; monitor https://github.com/pytorch/pytorch/pull/151931 for merge status.
WORKAROUND

Avoid torch.compile() (Inductor backend) on models that include torch.cummin; use eager mode as fallback.
DETECTION

Monitor serving infrastructure for unexpected Python NameError crashes in PyTorch processes; alert on abnormal process termination in ML serving pods.
ISOLATION

If running a shared ML platform accepting user-submitted models, sandbox torch.compile execution in isolated processes with resource limits and restart policies.
VERSION CONTROL

Audit all environments for PyTorch 2.7.0 and prioritize patching of externally accessible inference endpoints.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity for high-risk AI systems

ISO 42001

A.6.2.6 - AI system availability and resilience

NIST AI RMF

GOVERN-1.2 - Organizational risk tolerances for AI are established MANAGE-2.2 - Mechanisms to sustain AI system operation during disruptions

Frequently Asked Questions

What is CVE-2025-55557?

PyTorch 2.7.0 crashes with an uncaught NameError when any model using torch.cummin is compiled through the Inductor backend—no authentication or privileges required to trigger it. Any production ML serving endpoint accepting compiled models, or any training pipeline using torch.compile on affected architectures, is exposed to remote availability disruption. Immediate action: pin to a patched build (PR #151931) or disable Inductor compilation for models containing torch.cummin operations.

Is CVE-2025-55557 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-55557, increasing the risk of exploitation.

How to fix CVE-2025-55557?

1. PATCH: Apply PR #151931 once merged into a stable PyTorch release; monitor https://github.com/pytorch/pytorch/pull/151931 for merge status. 2. WORKAROUND: Avoid torch.compile() (Inductor backend) on models that include torch.cummin; use eager mode as fallback. 3. DETECTION: Monitor serving infrastructure for unexpected Python NameError crashes in PyTorch processes; alert on abnormal process termination in ML serving pods. 4. ISOLATION: If running a shared ML platform accepting user-submitted models, sandbox torch.compile execution in isolated processes with resource limits and restart policies. 5. VERSION CONTROL: Audit all environments for PyTorch 2.7.0 and prioritize patching of externally accessible inference endpoints.

What systems are affected by CVE-2025-55557?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, ml compilation pipelines, shared ML platforms.

What is the CVSS score for CVE-2025-55557?

CVE-2025-55557 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.05%.

Technical Details

NVD Description

A Name Error occurs in pytorch v2.7.0 when a PyTorch model consists of torch.cummin and is compiled by Inductor, leading to a Denial of Service (DoS).

Exploitation Scenario

An adversary targeting a public ML inference API (e.g., a model evaluation service or shared training platform) submits a PyTorch model that includes a torch.cummin operation. When the backend attempts to optimize the model using torch.compile() with Inductor, a NameError is raised in the generated code, crashing the worker process. In a Kubernetes-based serving environment without proper process isolation, repeated submissions could continuously crash and restart inference workers, causing sustained service degradation. In a CI/CD pipeline accepting external PRs, a contributor could embed torch.cummin in a model test to crash the pipeline runner.