A major security flaw has been discovered in PyTorch, the widely used open-source machine learning framework. Identified as CVE-2025-32434, this newly reported PyTorch vulnerability allows attackers to remotely execute arbitrary code on systems that load AI models, even when protective settings like weights_only=True are enabled.
This critical vulnerability impacts all PyTorch versions up to and including 2.5.1, according to a security advisory published earlier this week. The issue has been addressed in version 2.6.0, which has been made available through pip.
PyTorch Vulnerability Details
The root of the issue lies within PyTorch’s torch.load() function, a core component frequently used for loading serialized models. For years, developers have relied on the weights_only=True flag to protect against potentially harmful code embedded in model files. However, that protect has now been proven insufficient.
Security researcher Ji’an Zhou demonstrated that the weights_only=True setting can be bypassed, enabling attackers to execute remote commands. This revelation directly contradicts PyTorch’s own documentation, which previously recommended the setting as a reliable mitigation method.
This issue highlights the evolving nature of ML security,” the PyTorch team stated. “We urge all users to update immediately and report suspicious model behavior.”
Who Is at Risk?
Any application, research tool, or cloud service that relies on torch.load() using unpatched PyTorch versions is vulnerable. This includes systems designed for inference, federated learning, and model hub integrations. An attacker could easily upload a tampered model to a public repository or inject it into a software supply chain.
When a user loads the compromised model, the exploit would trigger, potentially granting full control over the target system. Given the low complexity and high impact of the attack, security experts have classified the vulnerability as critical.
According to GitHub’s CVE record, CVE-2025-32434 carries a CVSS 4.0 score of 9.3, placing it firmly in the “Critical” category. The vector string highlights its severity:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
In simpler terms, it requires no special privileges, user interaction, or advanced exploitation techniques, making it especially dangerous for real-world applications.
Immediate Actions Recommended
The PyTorch team strongly urges all users to take the following steps:
- Upgrade to PyTorch 2.6.0 immediately using pip install– upgrade torch.
- Audit existing AI models, especially those sourced from third-party or public repositories.
- Monitor official security channels, including the PyTorch GitHub Security page and the related GitHub Advisory (GHSA-53q9-r3pm-6pq6), for updates.
Conclusion
The discovery of the CVE-2025-32434 PyTorch vulnerability highlights the gaps in the AI community. Even widely trusted machine learning frameworks are not immune to serious security flaws. This critical vulnerability, which affects all PyTorch versions up to 2.5.1, allows remote code execution, even with weights_only=True enabled.
To protect systems, users must immediately upgrade to PyTorch 2.6.0, audit existing models—especially those from third-party sources—and closely monitor official security channels.
