AI Threat Alert

CVE-2025-55557: PyTorch: DoS via cummin+Inductor NameError in 2.7.0

HIGH PoC AVAILABLE CISA: TRACK*
Published September 25, 2025
CISO Take

PyTorch 2.7.0 crashes with an uncaught NameError when any model using torch.cummin is compiled through the Inductor backend—no authentication or privileges required to trigger it. Any production ML serving endpoint accepting compiled models, or any training pipeline using torch.compile on affected architectures, is exposed to remote availability disruption. Immediate action: pin to a patched build (PR #151931) or disable Inductor compilation for models containing torch.cummin operations.

What is the risk?

High exploitability: CVSS 7.5, network-accessible, zero authentication, low complexity—attacker only needs to influence a model definition or submit a crafted model to a serving endpoint. Impact is purely availability (A:H), no confidentiality or integrity risk. Blast radius is bounded to PyTorch 2.7.0 with Inductor-compiled models, but that version was just released and many teams will be on it. Shared ML platforms, MLaaS APIs, and CI/CD pipelines running automated torch.compile are the highest-risk environments.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
PyTorch pip No patch
100.9K OpenSSF 6.4 22.7K dependents Pushed 3d ago 11% patched ~216d to patch Full package profile →

Do you use PyTorch? You're affected.

How severe is it?

CVSS 3.1
7.5 / 10
EPSS
0.4%
chance of exploitation in 30 days
Higher than 30% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I None
A High

What should I do?

5 steps

  1. PATCH

    Apply PR #151931 once merged into a stable PyTorch release; monitor https://github.com/pytorch/pytorch/pull/151931 for merge status.

  2. WORKAROUND

    Avoid torch.compile() (Inductor backend) on models that include torch.cummin; use eager mode as fallback.

  3. DETECTION

    Monitor serving infrastructure for unexpected Python NameError crashes in PyTorch processes; alert on abnormal process termination in ML serving pods.

  4. ISOLATION

    If running a shared ML platform accepting user-submitted models, sandbox torch.compile execution in isolated processes with resource limits and restart policies.

  5. VERSION CONTROL

    Audit all environments for PyTorch 2.7.0 and prioritize patching of externally accessible inference endpoints.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Framework AML.T0010.001 AML.T0029 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity for high-risk AI systems
ISO 42001
A.6.2.6 - AI system availability and resilience
NIST AI RMF
GOVERN-1.2 - Organizational risk tolerances for AI are established MANAGE-2.2 - Mechanisms to sustain AI system operation during disruptions

Frequently Asked Questions

What is CVE-2025-55557?

PyTorch 2.7.0 crashes with an uncaught NameError when any model using torch.cummin is compiled through the Inductor backend—no authentication or privileges required to trigger it. Any production ML serving endpoint accepting compiled models, or any training pipeline using torch.compile on affected architectures, is exposed to remote availability disruption. Immediate action: pin to a patched build (PR #151931) or disable Inductor compilation for models containing torch.cummin operations.

Is CVE-2025-55557 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-55557, increasing the risk of exploitation.

How to fix CVE-2025-55557?

1. PATCH: Apply PR #151931 once merged into a stable PyTorch release; monitor https://github.com/pytorch/pytorch/pull/151931 for merge status. 2. WORKAROUND: Avoid torch.compile() (Inductor backend) on models that include torch.cummin; use eager mode as fallback. 3. DETECTION: Monitor serving infrastructure for unexpected Python NameError crashes in PyTorch processes; alert on abnormal process termination in ML serving pods. 4. ISOLATION: If running a shared ML platform accepting user-submitted models, sandbox torch.compile execution in isolated processes with resource limits and restart policies. 5. VERSION CONTROL: Audit all environments for PyTorch 2.7.0 and prioritize patching of externally accessible inference endpoints.

What systems are affected by CVE-2025-55557?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, ml compilation pipelines, shared ML platforms.

What is the CVSS score for CVE-2025-55557?

CVE-2025-55557 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.38%.

What is the AI security impact?

Affected AI Architectures

model servingtraining pipelinesml compilation pipelinesshared ML platforms

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0029 Denial of AI Service
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2.6
NIST AI RMF: GOVERN-1.2, MANAGE-2.2

What are the technical details?

Original Advisory

A Name Error occurs in pytorch v2.7.0 when a PyTorch model consists of torch.cummin and is compiled by Inductor, leading to a Denial of Service (DoS).

Exploitation Scenario

An adversary targeting a public ML inference API (e.g., a model evaluation service or shared training platform) submits a PyTorch model that includes a torch.cummin operation. When the backend attempts to optimize the model using torch.compile() with Inductor, a NameError is raised in the generated code, crashing the worker process. In a Kubernetes-based serving environment without proper process isolation, repeated submissions could continuously crash and restart inference workers, causing sustained service degradation. In a CI/CD pipeline accepting external PRs, a contributor could embed torch.cummin in a model test to crash the pipeline runner.

Weaknesses (CWE)

CWE-248 Uncaught Exception

CWE-248 — Uncaught Exception: An exception is thrown from a function, but it is not caught.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
September 25, 2025
Last Modified
October 3, 2025
First Seen
September 25, 2025

Related Vulnerabilities

CRITICAL CVE-2024-5452 9.8

pytorch-lightning: RCE via deepdiff Delta deserialization

Same package: torch
CRITICAL CVE-2023-43654 9.8

TorchServe: SSRF + RCE via unrestricted model URL loading

Same package: torch
CRITICAL CVE-2022-45907 9.8

PyTorch: RCE via unsafe eval in JIT annotations

Same package: torch
CRITICAL CVE-2022-0845 9.8

pytorch-lightning: code injection enables full RCE

Same package: torch
CRITICAL CVE-2024-35198 9.8

TorchServe: URL bypass enables arbitrary model loading

Same package: torch
Back to Threat Feed