CVE-2025-32434: 
CBL Mariner vulnerability analysis and mitigation

A critical Remote Command Execution (RCE) vulnerability has been discovered in PyTorch, tracked as CVE-2025-32434. The vulnerability affects PyTorch versions 2.5.1 and prior, specifically in the torch.load() function when used with weights_only=True parameter. This security flaw was discovered by security researcher Ji'an Zhou and has been assigned a critical CVSS v4 score of 9.3. The vulnerability has been patched in PyTorch version 2.6.0 (Security Online, NVD).

The vulnerability exists in PyTorch's model loading functionality, specifically when using the torch.load() function with weights_only=True parameter. This parameter was previously considered a security safeguard, but the researcher proved that it could still be exploited to achieve remote code execution. The vulnerability has been classified under CWE-502 (Deserialization of Untrusted Data) and received a CVSS v4 score of 9.3 CRITICAL with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N (NVD, GitHub Advisory).

If successfully exploited, this vulnerability allows attackers to execute arbitrary commands on the target machine. This could potentially lead to data breaches, system compromise, or lateral movement in cloud-hosted AI environments. The impact is particularly severe because many developers trust weights_only=True as a security measure, making the exploit potentially successful even in environments with other security practices in place (Security Online).

The primary mitigation is to update PyTorch to version 2.6.0 or higher, which contains the patch for this vulnerability. Users can update using pip (pip install torch torchvision torchaudio --upgrade) or conda (conda update pytorch torchvision torchaudio -c pytorch) (Security Online).