9.3

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-32434

GHSA ID

GHSA-53q9-r3pm-6pq6

EPSS Score

0.5564%

CWE

CWE-502

Published

4/18/2025

Updated

4/18/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-32434

CVE-2025-32434: PyTorch: `torch.load` with `weights_only=True` leads to remote code execution

Description

I found a Remote Command Execution (RCE) vulnerability in the PyTorch. When load model using torch.load with weights_only=True, it can still achieve RCE.

Background knowledge

https://github.com/pytorch/pytorch/security As you can see, the PyTorch official documentation considers using torch.load() with weights_only=True to be safe. Since everyone knows that weights_only=False is unsafe, so they will use the weights_only=True to mitigate the security issue. But now, I just proved that even if you use weights_only=True, it still can achieve RCE. So it is time to update your PyTorch version~.

Credit

This vulnerability was found by Ji'an Zhou.

(GitHub Advisory)

9.3

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-32434

GHSA ID

GHSA-53q9-r3pm-6pq6

EPSS Score

0.5564%

CWE

CWE-502

Published

4/18/2025

Updated

4/18/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
torch	pip	<= 2.5.1	2.6.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability occurs when torch.load is called with weights_only=True on a specially crafted legacy .tar model file.

torch.load is the user-facing API and the entry point for the vulnerability. It dispatches the loading process.
For legacy .tar files, torch.load calls the internal function torch.serialization._legacy_load.
The core of the vulnerability lay within _legacy_load (specifically, its persistent_load helper function that handles tar files). When weights_only=True was set, the pickle_module used was _weights_only_unpickler. However, _legacy_load did not adequately ensure that this unpickler could safely process all contents of a legacy .tar file under weights_only constraints.
The patch introduces an explicit check within _legacy_load (in persistent_load) to raise an error if an attempt is made to load a legacy .tar file with weights_only=True, thereby mitigating the RCE. This confirms that _legacy_load was the function performing the unsafe deserialization under these conditions. Both torch.load (as the entry point) and torch.serialization._legacy_load (as the function containing the flawed deserialization logic for this specific case) are identified as vulnerable.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

# **s*ription I *oun* * R*mot* *omm*n* *x**ution (R**) vuln*r**ility in t** PyTor**. W**n lo** mo**l usin* tor**.lo** wit* w*i**ts_only=Tru*, it **n still ***i*v* R**. # ***k*roun* knowl**** *ttps://*it*u*.*om/pytor**/pytor**/s**urity *s you **n

Reasoning

T** vuln*r**ility o**urs w**n `tor**.lo**` is **ll** wit* `w*i**ts_only=Tru*` on * sp**i*lly *r**t** l****y `.t*r` mo**l *il*. *. `tor**.lo**` is t** us*r-***in* *PI *n* t** *ntry point *or t** vuln*r**ility. It *isp*t***s t** lo**in* pro**ss. *. *o

9.3

Basic Information

Concerned about an active attack path?

CVE-2025-32434: PyTorch: `torch.load` with `weights_only=True` leads to remote code execution

Description

Background knowledge

Credit

9.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI