Code Execution
Remote code execution is unusually common in the AI/ML ecosystem because two long-standing patterns persist: pickle-based model loading and Jinja-style template rendering. Pickle is Python's default serialisation format and it executes arbitrary code on deserialisation; PyTorch models, scikit-learn pipelines, and many older HuggingFace artefacts are pickle files, so loading an untrusted model file is equivalent to running an untrusted script. HuggingFace addressed this with safetensors, but the older format is still widespread. The second pattern is template injection in LLM application frameworks that render Jinja-like syntax inside user-controlled prompts; LangChain, LlamaIndex, and several agent frameworks have shipped CVEs of this shape. Inference servers (vLLM, Triton, BentoML, Ray Serve) round out the RCE landscape with the usual web-app issues. Defenses: never load model files from untrusted sources, prefer safetensors, sandbox inference, and audit any code path that combines user input with template rendering.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2025-12343 | ffmpeg: security flaw enables exploitation | 5.5 | |
| HIGH | CVE-2021-43811 | Sockeye: unsafe YAML load RCE via model config file | 7.8 | |
| HIGH | CVE-2021-4118 | pytorch-lightning: deserialization RCE via malicious checkpoint | pytorch_lightning | 7.8 |
| CRITICAL | CVE-2022-0845 | pytorch-lightning: code injection enables full RCE | pytorch_lightning | 9.8 |
| CRITICAL | CVE-2022-45907 | PyTorch: RCE via unsafe eval in JIT annotations | pytorch | 9.8 |
| CRITICAL | CVE-2023-43654 | TorchServe: SSRF + RCE via unrestricted model URL loading | torchserve | 9.8 |
| MEDIUM | CVE-2023-48299 | TorchServe: ZipSlip arbitrary file write via model upload | torchserve | 5.3 |
| HIGH | CVE-2024-31583 | PyTorch: use-after-free in JIT mobile interpreter, RCE | pytorch | 7.8 |
| HIGH | CVE-2024-37059 | MLflow: RCE via malicious PyTorch model deserialization | mlflow | 8.8 |
| CRITICAL | CVE-2024-5452 | pytorch-lightning: RCE via deepdiff Delta deserialization | pytorch_lightning | 9.8 |
| CRITICAL | CVE-2024-35198 | TorchServe: URL bypass enables arbitrary model loading | torchserve | 9.8 |
| CRITICAL | CVE-2024-48063 | PyTorch: RCE via RemoteModule deserialization | pytorch | 9.8 |
| MEDIUM | CVE-2025-1944 | picklescan: ZIP spoof lets malicious PyTorch models bypass scan | picklescan | 6.5 |
| CRITICAL | CVE-2025-1945 | picklescan: ZIP flag bypass enables RCE in PyTorch models | picklescan | 9.8 |
| HIGH | CVE-2025-2148 | PyTorch: memory corruption in JIT profiler callback handler | torch | 7.5 |
| MEDIUM | CVE-2025-2998 | PyTorch: memory corruption in RNN pad_packed_sequence | torch | 5.3 |
| MEDIUM | CVE-2025-2999 | PyTorch: memory corruption in RNN sequence unpacking | torch | 5.3 |
| MEDIUM | CVE-2025-3000 | PyTorch: memory corruption in torch.jit.script compiler | torch | 5.3 |
| MEDIUM | CVE-2025-3001 | PyTorch: lstm_cell memory corruption, local code exec | torch | 5.3 |
| CRITICAL | CVE-2025-32434 | PyTorch: RCE bypasses weights_only=True safe-load guard | pytorch | 9.8 |