Skip to main content

Pytorch CVE-2025-1945

CRITICAL
Insufficient Verification of Data Authenticity (CWE-345)
2025-03-10 103e4ec9-0a87-450b-af77-479448ddef11 GHSA-w8jq-xcqf-f792
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Mar 12, 2026 - 19:50 vuln.today
PoC Detected
Dec 29, 2025 - 15:16 vuln.today
Public exploit code
Patch released
Dec 29, 2025 - 15:16 nvd
Patch available
CVE Published
Mar 10, 2025 - 12:15 nvd
CRITICAL 9.8

DescriptionCVE.org

picklescan before 0.0.23 fails to detect malicious pickle files inside PyTorch model archives when certain ZIP file flag bits are modified. By flipping specific bits in the ZIP file headers, an attacker can embed malicious pickle files that remain undetected by PickleScan while still being successfully loaded by PyTorch's torch.load(). This can lead to arbitrary code execution when loading a compromised model.

AnalysisAI

PickleScan before 0.0.23 can be bypassed by flipping specific ZIP file header flag bits, allowing malicious pickle files to evade detection inside PyTorch model archives. An attacker can embed arbitrary code execution payloads that PickleScan misses but PyTorch's torch.load() still processes. A proof-of-concept exists and a patch is available in version 0.0.23.

Technical ContextAI

The vulnerability exploits a discrepancy between how PickleScan parses ZIP archives and how PyTorch extracts them. By toggling specific bits in ZIP local file headers, an attacker crafts archives where malicious .pkl files are invisible to the scanner but fully functional when loaded by torch.load(). This is a classic parser differential vulnerability (CWE-345).

Affected ProductsAI

PickleScan < 0.0.23, any system using PickleScan for PyTorch model validation

RemediationAI

Upgrade PickleScan to 0.0.23 or later. Consider using torch.load() with weights_only=True where possible. Audit existing model archives in your pipelines.

CVE-2024-48063 CRITICAL POC
9.8 Oct 29

In PyTorch <=2.4.1, the RemoteModule has Deserialization RCE. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2022-45907 CRITICAL POC
9.8 Nov 26

In PyTorch before trunk/89695, torch.jit.annotations.parse_type_line can cause arbitrary code execution because eval is

CVE-2026-24747 HIGH POC
8.8 Jan 27

PyTorch is a Python package that provides tensor computation. [CVSS 8.8 HIGH]

CVE-2024-8020 HIGH POC
7.5 Mar 20

A vulnerability in lightning-ai/pytorch-lightning version 2.3.2 allows an attacker to cause a denial of service by sendi

CVE-2025-1944 MEDIUM POC
6.5 Mar 10

picklescan before 0.0.23 is vulnerable to a ZIP archive manipulation attack that causes it to crash when attempting to e

CVE-2025-32434 CRITICAL POC
9.3 Apr 18

PyTorch is a Python package that provides tensor computation with strong GPU acceleration and deep neural networks built

CVE-2025-33244 CRITICAL
9.0 Mar 24

NVIDIA APEX for Linux contains a deserialization of untrusted data vulnerability that affects environments using PyTorch

CVE-2025-2953 MEDIUM POC
4.8 Mar 30

A vulnerability, which was classified as problematic, has been found in PyTorch 2.6.0+cu124. Rated medium severity (CVSS

CVE-2025-3136 MEDIUM POC
4.8 Apr 03

A vulnerability, which was classified as problematic, has been found in PyTorch 2.6.0.cuda.memory.caching_allocator_dele

CVE-2025-3121 MEDIUM POC
4.8 Apr 02

A vulnerability classified as problematic has been found in PyTorch 2.6.0. Rated medium severity (CVSS 4.8), this vulner

CVE-2025-3730 MEDIUM POC
4.8 Apr 16

A vulnerability, which was classified as problematic, was found in PyTorch 2.6.0. Rated medium severity (CVSS 4.8), this

CVE-2024-31583 HIGH
7.8 Apr 17

Pytorch before version v2.2.0 was discovered to contain a use-after-free vulnerability in torch/csrc/jit/mobile/interpre

Share

CVE-2025-1945 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy