Framework
AI/ML frameworks sit at the bottom of every AI stack — virtually every production AI system depends transitively on PyTorch or TensorFlow at the training layer, and on LangChain, LlamaIndex, or a similar orchestrator at the application layer. That concentration means a single vulnerability often affects tens of thousands of downstream services. The CVE patterns are recognisable: unsafe deserialization in model loading (the long tail of pickle), template injection in LangChain's prompt-construction utilities, SSRF in LlamaIndex's data-loader connectors, and path traversal in MLflow's experiment storage. PyTorch itself has shipped several high-severity CVEs around its distributed RPC layer. Because these libraries upgrade frequently and downstream applications pin loosely, patching is a real operational problem. AI Threat Alert tracks framework-level CVEs prominently because a single advisory often means urgent work for hundreds of teams.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2025-2148 | PyTorch: memory corruption in JIT profiler callback handler | torch | 7.5 |
| LOW | CVE-2025-2149 | PyTorch: improper init in quantized sigmoid skews model output | torch | 2.5 |
| MEDIUM | CVE-2024-6577 | TorchServe: unverified S3 bucket exposes benchmark data | torchserve | 6.3 |
| MEDIUM | CVE-2025-2953 | PyTorch: DoS via mkldnn_max_pool2d resource leak | pytorch | 5.5 |
| MEDIUM | CVE-2025-2998 | PyTorch: memory corruption in RNN pad_packed_sequence | torch | 5.3 |
| MEDIUM | CVE-2025-2999 | PyTorch: memory corruption in RNN sequence unpacking | torch | 5.3 |
| MEDIUM | CVE-2025-3000 | PyTorch: memory corruption in torch.jit.script compiler | torch | 5.3 |
| MEDIUM | CVE-2025-3001 | PyTorch: lstm_cell memory corruption, local code exec | torch | 5.3 |
| MEDIUM | CVE-2025-3121 | PyTorch: memory corruption in JIT flatbuffer loader | pytorch | 5.5 |
| LOW | CVE-2025-3136 | PyTorch: memory corruption in CUDA caching allocator | pytorch | 3.3 |
| MEDIUM | CVE-2025-3730 | PyTorch: DoS via ctc_loss resource mishandling | pytorch | 5.5 |
| CRITICAL | CVE-2025-32434 | PyTorch: RCE bypasses weights_only=True safe-load guard | pytorch | 9.8 |
| LOW | CVE-2025-4287 | PyTorch NCCL: local DoS in distributed training reduce op | 3.3 | |
| CRITICAL | CVE-2025-47277 | vLLM: RCE via exposed TCPStore in distributed inference | vllm | 9.8 |
| HIGH | CVE-2025-10155 | picklescan: file extension bypass allows model RCE | picklescan | 7.8 |
| MEDIUM | CVE-2025-46148 | PyTorch: PairwiseDistance silent miscalculation, integrity risk | pytorch | 5.3 |
| MEDIUM | CVE-2025-46149 | PyTorch: reachable assertion in nn.Fold with inductor | pytorch | 5.3 |
| MEDIUM | CVE-2025-46150 | PyTorch: torch.compile silent output inconsistency | pytorch | 5.3 |
| MEDIUM | CVE-2025-46152 | PyTorch: OOB write causes incorrect bitwise shift results | pytorch | 5.3 |
| MEDIUM | CVE-2025-46153 | PyTorch: Dropout inconsistency enables membership inference | pytorch | 5.3 |