logo

Database

Insecure deserialization In torch

Description

Withdrawn Advisory: PyTorch deserialization vulnerability

Withdrawn Advisory

This advisory has been withdrawn because it describes known functionality of PyTorch. This link is maintained to preserve external references.

Original Description

A deserialization vulnerability exists in the Pytorch RPC framework (torch.distributed.rpc) in pytorch/pytorch versions <=2.3.1. The vulnerability arises from the lack of security verification during the deserialization process of PythonUDF objects in pytorch/torch/distributed/rpc/internal.py. This flaw allows an attacker to execute arbitrary code remotely by sending a malicious serialized PythonUDF object, leading to remote code execution (RCE) on the master node.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version

Aliases

1. CVE-2024-78042. NVD-2024-78043. OSV-2024-78044. GCVE-2024-7804

References

1. https://github.com/pytorch/pytorch/blob/27a14405d3b996d572ba18339410e29ec005c775/torch/distributed/rpc/internal.py#L1622. https://huntr.com/bounties/0e870eeb-f924-4054-8fac-d926b1fb7259

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.