CVE-2025-55557: 
Homebrew vulnerability analysis and mitigation

A Name Error occurs in pytorch v2.7.0 when a PyTorch model consists of torch.cummin and is compiled by Inductor, leading to a Denial of Service (DoS). The vulnerability was discovered and disclosed in September 2025, affecting PyTorch versions up to and including 2.7.0 (NVD, GitHub Advisory).

The vulnerability occurs when compiling a PyTorch model that uses the torch.cummin API with the Inductor compiler. When attempting to compile such models, the generated Triton code throws a NameError indicating 'rindex is not defined', which leads to compilation failure. The issue has been assigned a CVSS v3.1 Base Score of 7.5 HIGH with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability results in a Denial of Service (DoS) condition when attempting to compile affected PyTorch models. This can disrupt the normal operation of applications that rely on the torch.cummin functionality, particularly in production environments where model compilation is performed (GitHub Advisory).

The vulnerability has been fixed in versions after PyTorch 2.7.0 through pull request #151931. Users are advised to upgrade to the latest version of PyTorch that includes this fix. As a temporary workaround, users can avoid using the Inductor compiler with models that contain torch.cummin operations (GitHub PR).

The issue was labeled as high priority by the PyTorch community, indicating its significance. The vulnerability was actively tracked and addressed by the PyTorch development team, with multiple developers and maintainers being involved in the resolution process (GitHub Issue).