CVE-2025-55560: 
CBL Mariner vulnerability analysis and mitigation

CVE-2025-55560 is a vulnerability discovered in PyTorch v2.7.0 that was disclosed on September 25, 2025. The vulnerability affects the PyTorch model compilation process when using specific tensor operations (torch.Tensor.to_sparse() and torch.Tensor.to_dense()) with the Inductor compiler (NVD, GitHub Issue).

The vulnerability occurs when a PyTorch model containing a combination of torch.Tensor.to_sparse() and torch.Tensor.to_dense() operations is compiled using the Inductor compiler. This results in a Not Implemented Error during the compilation process. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

When exploited, this vulnerability leads to a Denial of Service (DoS) condition, causing the system to crash or become unresponsive. The impact is limited to availability, with no direct effect on confidentiality or integrity of the system (NVD, GitHub Issue).

The vulnerability has been fixed in a later version of PyTorch through pull request #151897, which adds an additional check to trigger a graph break for sparse tensors. Users are recommended to upgrade to the patched version. As a temporary workaround, users can avoid using the combination of to_sparse() and to_dense() operations when compiling models with Inductor (GitHub PR).