Summary: A critical Remote Command Execution (RCE) vulnerability has been discovered in the PyTorch framework, tracked as CVE-2025-32434, affecting versions ≤2.5.1. This flaw resides in the safe model loading function, torch.load(), especially when using the weights_only=True parameter, which many developers rely on for security. The PyTorch team has released a patched version (2.6.0) to address this critical issue, and users are urged to update immediately.
Affected: PyTorch framework (versions ≤2.5.1)
Keypoints :
- Critical vulnerability identified as CVE-2025-32434 with a CVSS score of 9.3.
- The issue allows for RCE via the torch.load() function even when configured to be secure.
- Update to PyTorch version 2.6.0 or higher is necessary to patch the vulnerability.