CRITICAL🇵🇱 Wersja polska

CVE-2024-48063

CVSS 9.8v3.1pub. 2024-10-29upd. 2025-07-16

In PyTorch <=2.4.1, the RemoteModule has Deserialization RCE. NOTE: this is disputed by multiple parties because this is intended behavior in PyTorch distributed computing.

🤖 AI Analysis
How it works

The vulnerability results from unsafe deserialization of data (CWE-502) in the RemoteModule component, which is part of PyTorch's distributed computing framework. An attacker can supply crafted, malicious data to the deserialization process, which consequently leads to arbitrary code execution on the server. This mechanism is available over the network without requiring authentication or user interaction.

Impact

An attacker can gain full control over the victim's system through remote code execution (RCE), which threatens the confidentiality, integrity, and availability of the system.

Mitigation & patch

Patches available from the vendor should be applied according to the references. The vendor indicates in its security policy that PyTorch distributed functions are intended solely for use in trusted network environments — distributed computing interfaces should not be exposed to untrusted networks. It is recommended to review the PyTorch security documentation regarding distributed functions.

Who is affected

PyTorch (Linuxfoundation) in versions up to and including 2.4.1, that utilize distributed computing features (RemoteModule / Distributed RPC Framework).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Linuxfoundation Pytorch

    APP
    Linuxfoundation
    ≤ 2.4.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Deserialization
CWE
References

Related vulnerabilities

CVE-2025-32434CRITICAL9.3PL ✓ten sam produkt

RCE w PyTorch przy deserializacji modelu przez torch.load

CVE-2022-45907CRITICAL9.8ten sam produkt

In PyTorch before trunk/89695, torch.jit.annotations.parse_type_line can cause arbitrary code execution becaus...

CVE-2026-24747HIGH8.8ten sam produkt

PyTorch is a Python package that provides tensor computation. Prior to version 2.10.0, a vulnerability in PyTo...

CVE-2025-55552HIGH7.5ten sam produkt

pytorch v2.8.0 was discovered to display unexpected behavior when the components torch.rot90 and torch.randn_l...

CVE-2025-55551HIGH7.5ten sam produkt

An issue in the component torch.linalg.lu of pytorch v2.8.0 allows attackers to cause a Denial of Service (DoS...