CVE-2025-55558 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

PyTorch v2.7.0's Inductor compiler (torch.compile) has a buffer overflow triggered by specific layer combinations (Conv2d + hardshrink + view/mv), enabling unauthenticated remote attackers to crash inference services with no privileges required. Any production deployment using torch.compile with these layers is exposed. Immediate action: audit workloads for torch.compile usage, apply the patch from PR #151887, or disable Inductor as a workaround until a patched release ships.

Risk Assessment

High severity (CVSS 7.5) with low attack complexity and no authentication required makes this a credible threat to ML inference APIs. Network-accessible attack surface means any externally exposed PyTorch inference endpoint running v2.7.0 with torch.compile enabled is vulnerable. Impact is limited to availability (DoS)—not data exfiltration—but ML inference service outages can cascade into production incidents and SLA breaches. EPSS not yet available; no known active exploitation at time of publication.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
pytorch	pip	—	No patch
99.6K OpenSSF 6.4 21.7K dependents Pushed 6d ago 8% patched ~142d to patch Full package profile →

Do you use pytorch? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 25% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

1 step

1) Patch: Apply fix from https://github.com/pytorch/pytorch/pull/151887 once a patched release is available. 2) Workaround: Disable torch.compile (Inductor) for models using Conv2d + hardshrink + view/mv combinations—run in eager mode (torch.compile disabled by default in older PyTorch versions). 3) Audit: Grep codebases and model registries for torch.compile usage combined with Conv2d and hardshrink activations. 4) Monitor: Alert on abnormal process crashes, OOM events, or container restarts in PyTorch inference workers. 5) Harden: Deploy model serving behind rate limiters and input validation layers to reduce DoS attack surface.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI system risk management

NIST AI RMF

MANAGE 2.2 - Mechanisms for incident response and recovery

OWASP LLM Top 10

LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2025-55558?

PyTorch v2.7.0's Inductor compiler (torch.compile) has a buffer overflow triggered by specific layer combinations (Conv2d + hardshrink + view/mv), enabling unauthenticated remote attackers to crash inference services with no privileges required. Any production deployment using torch.compile with these layers is exposed. Immediate action: audit workloads for torch.compile usage, apply the patch from PR #151887, or disable Inductor as a workaround until a patched release ships.

Is CVE-2025-55558 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-55558, increasing the risk of exploitation.

How to fix CVE-2025-55558?

1) Patch: Apply fix from https://github.com/pytorch/pytorch/pull/151887 once a patched release is available. 2) Workaround: Disable torch.compile (Inductor) for models using Conv2d + hardshrink + view/mv combinations—run in eager mode (torch.compile disabled by default in older PyTorch versions). 3) Audit: Grep codebases and model registries for torch.compile usage combined with Conv2d and hardshrink activations. 4) Monitor: Alert on abnormal process crashes, OOM events, or container restarts in PyTorch inference workers. 5) Harden: Deploy model serving behind rate limiters and input validation layers to reduce DoS attack surface.

What systems are affected by CVE-2025-55558?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, inference APIs.

What is the CVSS score for CVE-2025-55558?

CVE-2025-55558 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.09%.

Technical Details

NVD Description

A buffer overflow occurs in pytorch v2.7.0 when a PyTorch model consists of torch.nn.Conv2d, torch.nn.functional.hardshrink, and torch.Tensor.view-torch.mv() and is compiled by Inductor, leading to a Denial of Service (DoS).

Exploitation Scenario

An adversary identifies a public-facing ML inference API (e.g., a computer vision or image classification service) running PyTorch 2.7.0 with torch.compile enabled. By fingerprinting the service or reviewing public model cards, they determine the model architecture includes Conv2d and hardshrink layers. The attacker submits crafted inference requests designed to trigger the specific Conv2d + hardshrink + view/mv code path in the Inductor-compiled model. The buffer overflow crashes the inference worker process. With no authentication required and low complexity, this can be scripted for sustained DoS, rendering the AI service unavailable. In Kubernetes or ECS environments, repeated crashes may exhaust pod restart budgets and take down the entire inference tier.