PyTorch

A critical vulnerability in PyTorch was identified as CVE-2025-32434 that allows attackers to execute malicious code remotely. The security flaw was found in the torch.load function when used with the weights_only=True parameter, which was formerly considered a safe approach for loading models from untrusted sources. This undermines PyTorch's security recommendations, as many organizations and developers had deployed this parameter specifically for security measures. The vulnerability allows hackers to create harmful model files that, upon loading, can run arbitrary code on the victim's system leading to potential total system compromise. This becomes treacherously dangerous for machine learning pipelines that download and load models from external sources or collaborative environments automatically.

Source: https://cybersecuritynews.com/critical-pytorch-vulnerability/

TPRM report: https://www.rankiteo.com/company/pytorch

"id": "pyt500042125",
"linkid": "pytorch",
"type": "Vulnerability",
"date": "4/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"

{'affected_entities': [{'industry': 'Technology, Machine Learning',
                        'name': 'PyTorch Users',
                        'type': 'Developers and Organizations'}],
 'attack_vector': 'Remote Code Execution',
 'description': 'A critical vulnerability in PyTorch was identified as '
                'CVE-2025-32434 that allows attackers to execute malicious '
                'code remotely. The security flaw was found in the torch.load '
                'function when used with the weights_only=True parameter, '
                'which was formerly considered a safe approach for loading '
                "models from untrusted sources. This undermines PyTorch's "
                'security recommendations, as many organizations and '
                'developers had deployed this parameter specifically for '
                'security measures. The vulnerability allows hackers to create '
                'harmful model files that, upon loading, can run arbitrary '
                "code on the victim's system leading to potential total system "
                'compromise. This becomes treacherously dangerous for machine '
                'learning pipelines that download and load models from '
                'external sources or collaborative environments automatically.',
 'impact': {'operational_impact': 'Potential total system compromise',
            'systems_affected': 'Machine learning pipelines'},
 'initial_access_broker': {'entry_point': 'torch.load function with '
                                          'weights_only=True parameter',
                           'high_value_targets': 'Machine learning pipelines'},
 'motivation': 'Malicious Code Execution',
 'post_incident_analysis': {'root_causes': 'Security flaw in torch.load '
                                           'function'},
 'title': 'Critical Vulnerability in PyTorch CVE-2025-32434',
 'type': 'Vulnerability Exploitation',
 'vulnerability_exploited': 'CVE-2025-32434'}

PyTorch

The Apache Software Foundation: Critical Apache bRPC Framework Vulnerability Let Attackers Crash the Server

Truffle Security Co.: Public GitLab repositories exposed more than 17,000 secrets

OpenJS Foundation: Critical Vulnerability in JavaScript Cryptography Library Poses Security Risk