CVE-2024-7804 – torch

Package

Manager: pip
Name: torch
Vulnerable Version: <0

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: N/A

EPSS: N/A pctlN/A

Details

Withdrawn Advisory: PyTorch deserialization vulnerability ## Withdrawn Advisory This advisory has been withdrawn because it describes known functionality of PyTorch. This link is maintained to preserve external references. ## Original Description A deserialization vulnerability exists in the Pytorch RPC framework (torch.distributed.rpc) in pytorch/pytorch versions <=2.3.1. The vulnerability arises from the lack of security verification during the deserialization process of PythonUDF objects in pytorch/torch/distributed/rpc/internal.py. This flaw allows an attacker to execute arbitrary code remotely by sending a malicious serialized PythonUDF object, leading to remote code execution (RCE) on the master node.

Metadata

Created: 2025-03-20T12:32:46Z
Modified: 2025-04-02T13:31:15Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-4vmg-rw8f-92f9/GHSA-4vmg-rw8f-92f9.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-4vmg-rw8f-92f9
Finding: F096
Auto approve: 1