A security vulnerability has been discovered in PyTorch where torch.load with weights_only=True can still lead to remote code execution (RCE). It is stated that this issue has been fixed in version 2.6 and above.
I’d like to ask whether this fix was applied automatically or through a specific commit. If it was fixed via a commit, could you point me to the exact one? Additionally, is it possible for us to backport this fix to PyTorch 2.5 or 2.4?
Looking forward to your response. Thank you!
Assuming a corresponding CVE was created it should also point to the commit fixing the issue. Do you have the CVE ID and can post it?
The 2.6 changelog links to a forum post where they mention the change that addresses this vulnerability, which links to this PR.
On first glance the change “flips the default on weights_only” (paraphrasing the PR title) for some cases and in other cases seems to force users to explicitly allow loading serialized objects via safe_globals (do verify this yourself). Assuming you’re talking about this vulnerability, I don’t know yet how it was fixed since the above says that RCEs can occur despite setting weights_only=True.
OP could be talking about this vulnerability from the PyTorch repo’s Security tab here from a week ago. The listed CVE ID is CVE-2025-32434. Here it is.
Thanks! The CVE links to this PR which seems to fix this. CC @south-ocean
@ptrblck Thanks! Could you please tell me where you found the PR corresponding to it? I couldn’t find it on the CVE record page.