Fluid Attacks Database

Description

In PyTorch <=2.4.1, the RemoteModule has Deserialization RCE. NOTE: this is disputed by multiple parties because this is intended behavior in PyTorch distributed computing.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	pytorch	=1.13.1+dfsg-4 \|\| =1.13.1+dfsg-5 \|\| =2.0.1+dfsg-1 \|\| =2.0.1+dfsg-1~exp1 \|\| =2.0.1+dfsg-2 \|\| =2.0.1+dfsg-4 \|\| =2.0.1+dfsg-5 \|\| =2.1.2+dfsg-1 \|\| =2.1.2+dfsg-2 \|\| =2.1.2+dfsg-4 \|\| =2.12.0+dfsg2-1 \|\| =2.12.0+dfsg2-1~exp1 \|\| =2.12.0+dfsg2-1~exp2 \|\| =2.12.0+dfsg2-2 \|\| =2.12.0+dfsg2-3 \|\| =2.12.0+dfsg2-4 \|\| =2.4.1-1 \|\| =2.4.1-3 \|\| =2.4.1-4 \|\| =2.5.0+dfsg-1 \|\| =2.5.1+dfsg-1 \|\| =2.5.1+dfsg-3 \|\| =2.5.1+dfsg-4 \|\| =2.6.0+dfsg-1 \|\| =2.6.0+dfsg-1~exp1 \|\| =2.6.0+dfsg-2 \|\| =2.6.0+dfsg-3 \|\| =2.6.0+dfsg-4 \|\| =2.6.0+dfsg-5 \|\| =2.6.0+dfsg-7 \|\| =2.6.0+dfsg-8 \|\| =2.6.0+dfsg-9 \|\| =2.6.0~rc9+dfsg-1~exp1 \|\| =2.9.0+dfsg-1~exp1 \|\| =2.9.0+dfsg-1~exp2 \|\| =2.9.1+dfsg-1~exp1 \|\| =2.9.1+dfsg-1~exp2	-
debian 11	pytorch	=1.12.0-1 \|\| =1.12.0~rc1-1 \|\| =1.12.1-1 \|\| =1.13.1+dfsg-1 \|\| =1.13.1+dfsg-2 \|\| =1.13.1+dfsg-3 \|\| =1.13.1+dfsg-4 \|\| =1.13.1+dfsg-5 \|\| =1.7.1-7 \|\| =1.7.1-7+deb11u1 \|\| =1.8.1-1 \|\| =1.8.1-2 \|\| =1.8.1-3 \|\| =1.8.1-4 \|\| =1.8.1-5 \|\| =2.0.1+dfsg-1 \|\| =2.0.1+dfsg-1~exp1 \|\| =2.0.1+dfsg-2 \|\| =2.0.1+dfsg-4 \|\| =2.0.1+dfsg-5 \|\| =2.1.2+dfsg-1 \|\| =2.1.2+dfsg-2 \|\| =2.1.2+dfsg-4 \|\| =2.12.0+dfsg2-1 \|\| =2.12.0+dfsg2-1~exp1 \|\| =2.12.0+dfsg2-1~exp2 \|\| =2.12.0+dfsg2-2 \|\| =2.12.0+dfsg2-3 \|\| =2.12.0+dfsg2-4 \|\| =2.4.1-1 \|\| =2.4.1-3 \|\| =2.4.1-4 \|\| =2.5.0+dfsg-1 \|\| =2.5.1+dfsg-1 \|\| =2.5.1+dfsg-3 \|\| =2.5.1+dfsg-4 \|\| =2.6.0+dfsg-1 \|\| =2.6.0+dfsg-1~exp1 \|\| =2.6.0+dfsg-2 \|\| =2.6.0+dfsg-3 \|\| =2.6.0+dfsg-4 \|\| =2.6.0+dfsg-5 \|\| =2.6.0+dfsg-7 \|\| =2.6.0+dfsg-8 \|\| =2.6.0+dfsg-9 \|\| =2.6.0~rc9+dfsg-1~exp1 \|\| =2.9.0+dfsg-1~exp1 \|\| =2.9.0+dfsg-1~exp2 \|\| =2.9.1+dfsg-1~exp1 \|\| =2.9.1+dfsg-1~exp2	-
debian 13	pytorch	=2.12.0+dfsg2-1 \|\| =2.12.0+dfsg2-1~exp1 \|\| =2.12.0+dfsg2-1~exp2 \|\| =2.12.0+dfsg2-2 \|\| =2.12.0+dfsg2-3 \|\| =2.12.0+dfsg2-4 \|\| =2.6.0+dfsg-7 \|\| =2.6.0+dfsg-8 \|\| =2.6.0+dfsg-9 \|\| =2.9.0+dfsg-1~exp1 \|\| =2.9.0+dfsg-1~exp2 \|\| =2.9.1+dfsg-1~exp1 \|\| =2.9.1+dfsg-1~exp2	-
debian 14	pytorch	=2.12.0+dfsg2-1 \|\| =2.12.0+dfsg2-1~exp1 \|\| =2.12.0+dfsg2-1~exp2 \|\| =2.12.0+dfsg2-2 \|\| =2.12.0+dfsg2-3 \|\| =2.12.0+dfsg2-4 \|\| =2.6.0+dfsg-7 \|\| =2.6.0+dfsg-8 \|\| =2.6.0+dfsg-9 \|\| =2.9.0+dfsg-1~exp1 \|\| =2.9.0+dfsg-1~exp2 \|\| =2.9.1+dfsg-1~exp1 \|\| =2.9.1+dfsg-1~exp2	-
pypi	torch	=1.0.0 \|\| =1.0.1 \|\| =1.1.0 \|\| =1.10.0 \|\| =1.10.1 \|\| =1.10.2 \|\| =1.11.0 \|\| =1.12.0 \|\| =1.12.1 \|\| =1.13.0 \|\| =1.13.1 \|\| =1.2.0 \|\| =1.3.0 \|\| =1.3.1 \|\| =1.4.0 \|\| =1.5.0 \|\| =1.5.1 \|\| =1.6.0 \|\| =1.7.0 \|\| =1.7.1 \|\| =1.8.0 \|\| =1.8.1 \|\| =1.9.0 \|\| =1.9.1 \|\| =2.0.0 \|\| =2.0.1 \|\| =2.1.0 \|\| =2.1.1 \|\| =2.1.2 \|\| =2.2.0 \|\| =2.2.1 \|\| =2.2.2 \|\| =2.3.0 \|\| =2.3.1 \|\| =2.4.0 \|\| =2.4.1 \|\| >=0 <2.5.0	2.5.0

Aliases

1. CVE-2024-480632. NVD-2024-480633. OSV-DEBIAN-2024-480634. OSV-2024-480635. OSV-PYSEC-2024-2596. GCVE-2024-480637. SECURITY-TRACKER-CVE-2024-48063

References

1. https://github.com/pytorch/pytorch/issues/1292282. https://gist.github.com/hexian2001/c046c066895a963ecc0a2cf9e11800653. https://github.com/pytorch/pytorch/security/policy#using-distributed-features

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.