CVE-2025-3730: Denial of Service in PyTorch
A vulnerability, which was classified as problematic, was found in PyTorch 2.6.0. Affected is the function torch.nn.functional.ctc_loss of the file aten/src/ATen/native/LossCTC.cpp. The manipulation leads to denial of service. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The name of the patch is 46fc5d8e360127361211cb237d5f9eef0223e567. It is recommended to apply a patch to fix this issue. The security policy of the project warns to use unknown models which might establish malicious effects.
AI Analysis
Technical Summary
CVE-2025-3730 is a medium-severity vulnerability identified in PyTorch version 2.6.0, specifically within the function torch.nn.functional.ctc_loss located in the source file aten/src/ATen/native/LossCTC.cpp. The vulnerability allows an attacker with local access and low privileges to cause a denial of service (DoS) condition by manipulating inputs to this function. The vulnerability does not require user interaction, elevated privileges beyond low-level local access, or network access, limiting the attack vector to local exploitation. The vulnerability was publicly disclosed on April 16, 2025, and a patch has been issued (commit 46fc5d8e360127361211cb237d5f9eef0223e567) to address the issue. Although the vulnerability's real existence has been questioned, the presence of a patch and public disclosure indicates a credible risk. The PyTorch project also warns against using unknown or untrusted models, as these could potentially introduce malicious effects, which may be related to or exacerbate this vulnerability. The CVSS 4.0 base score is 4.8, reflecting a medium severity with local attack vector, low complexity, no privileges required beyond local user, and no user interaction needed. The vulnerability impacts availability by causing denial of service but does not affect confidentiality or integrity. No known exploits are currently observed in the wild, but the public disclosure means that exploitation techniques could emerge. This vulnerability is relevant for organizations using PyTorch 2.6.0, particularly those running machine learning workloads locally where untrusted users or processes may have access to invoke the vulnerable function.
Potential Impact
For European organizations, the impact of CVE-2025-3730 is primarily related to service availability and operational continuity in environments utilizing PyTorch 2.6.0 for machine learning tasks. Organizations in sectors such as research institutions, AI development companies, and enterprises deploying AI models locally could face disruptions if an attacker exploits this vulnerability to cause denial of service. This could lead to downtime of AI services, delayed processing of machine learning workloads, and potential cascading effects on dependent systems. Since the attack requires local access, the risk is heightened in multi-user environments, shared computing resources, or cloud instances where multiple tenants or users have access. The warning about unknown models suggests a risk vector where maliciously crafted models could trigger the vulnerability, increasing the threat surface. However, the lack of remote exploitability and the medium severity score limit the overall risk to highly targeted or insider threat scenarios rather than broad external attacks. European organizations with strict data protection and operational resilience requirements should consider this vulnerability in their risk assessments, especially where AI workloads are critical to business operations or research.
Mitigation Recommendations
1. Apply the official patch identified by commit 46fc5d8e360127361211cb237d5f9eef0223e567 to upgrade PyTorch from version 2.6.0 to a fixed version as soon as possible. 2. Restrict local access to systems running PyTorch, ensuring that only trusted and authorized users can execute machine learning workloads, thereby reducing the risk of local exploitation. 3. Implement strict controls and validation on models loaded into PyTorch environments, avoiding the use of unknown or untrusted models that could trigger malicious behavior or exploit this vulnerability. 4. Monitor system logs and application behavior for signs of denial of service or abnormal crashes related to the ctc_loss function. 5. In multi-tenant or shared environments, enforce containerization or sandboxing to isolate PyTorch processes and limit the impact of potential exploitation. 6. Educate developers and data scientists about the risks of using unverified models and the importance of applying security patches promptly. 7. Incorporate vulnerability scanning and patch management processes specifically targeting AI/ML frameworks like PyTorch in the organization's cybersecurity program.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Switzerland
CVE-2025-3730: Denial of Service in PyTorch
Description
A vulnerability, which was classified as problematic, was found in PyTorch 2.6.0. Affected is the function torch.nn.functional.ctc_loss of the file aten/src/ATen/native/LossCTC.cpp. The manipulation leads to denial of service. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The name of the patch is 46fc5d8e360127361211cb237d5f9eef0223e567. It is recommended to apply a patch to fix this issue. The security policy of the project warns to use unknown models which might establish malicious effects.
AI-Powered Analysis
Technical Analysis
CVE-2025-3730 is a medium-severity vulnerability identified in PyTorch version 2.6.0, specifically within the function torch.nn.functional.ctc_loss located in the source file aten/src/ATen/native/LossCTC.cpp. The vulnerability allows an attacker with local access and low privileges to cause a denial of service (DoS) condition by manipulating inputs to this function. The vulnerability does not require user interaction, elevated privileges beyond low-level local access, or network access, limiting the attack vector to local exploitation. The vulnerability was publicly disclosed on April 16, 2025, and a patch has been issued (commit 46fc5d8e360127361211cb237d5f9eef0223e567) to address the issue. Although the vulnerability's real existence has been questioned, the presence of a patch and public disclosure indicates a credible risk. The PyTorch project also warns against using unknown or untrusted models, as these could potentially introduce malicious effects, which may be related to or exacerbate this vulnerability. The CVSS 4.0 base score is 4.8, reflecting a medium severity with local attack vector, low complexity, no privileges required beyond local user, and no user interaction needed. The vulnerability impacts availability by causing denial of service but does not affect confidentiality or integrity. No known exploits are currently observed in the wild, but the public disclosure means that exploitation techniques could emerge. This vulnerability is relevant for organizations using PyTorch 2.6.0, particularly those running machine learning workloads locally where untrusted users or processes may have access to invoke the vulnerable function.
Potential Impact
For European organizations, the impact of CVE-2025-3730 is primarily related to service availability and operational continuity in environments utilizing PyTorch 2.6.0 for machine learning tasks. Organizations in sectors such as research institutions, AI development companies, and enterprises deploying AI models locally could face disruptions if an attacker exploits this vulnerability to cause denial of service. This could lead to downtime of AI services, delayed processing of machine learning workloads, and potential cascading effects on dependent systems. Since the attack requires local access, the risk is heightened in multi-user environments, shared computing resources, or cloud instances where multiple tenants or users have access. The warning about unknown models suggests a risk vector where maliciously crafted models could trigger the vulnerability, increasing the threat surface. However, the lack of remote exploitability and the medium severity score limit the overall risk to highly targeted or insider threat scenarios rather than broad external attacks. European organizations with strict data protection and operational resilience requirements should consider this vulnerability in their risk assessments, especially where AI workloads are critical to business operations or research.
Mitigation Recommendations
1. Apply the official patch identified by commit 46fc5d8e360127361211cb237d5f9eef0223e567 to upgrade PyTorch from version 2.6.0 to a fixed version as soon as possible. 2. Restrict local access to systems running PyTorch, ensuring that only trusted and authorized users can execute machine learning workloads, thereby reducing the risk of local exploitation. 3. Implement strict controls and validation on models loaded into PyTorch environments, avoiding the use of unknown or untrusted models that could trigger malicious behavior or exploit this vulnerability. 4. Monitor system logs and application behavior for signs of denial of service or abnormal crashes related to the ctc_loss function. 5. In multi-tenant or shared environments, enforce containerization or sandboxing to isolate PyTorch processes and limit the impact of potential exploitation. 6. Educate developers and data scientists about the risks of using unverified models and the importance of applying security patches promptly. 7. Incorporate vulnerability scanning and patch management processes specifically targeting AI/ML frameworks like PyTorch in the organization's cybersecurity program.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- VulDB
- Date Reserved
- 2025-04-16T13:41:20.997Z
- Cisa Enriched
- true
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 682f9c790acd01a2492700bb
Added to database: 5/22/2025, 9:51:53 PM
Last enriched: 7/8/2025, 4:57:58 AM
Last updated: 7/27/2025, 12:30:13 PM
Views: 8
Related Threats
CVE-2025-8698: Reachable Assertion in Open5GS
MediumCVE-2025-26513: 267 in NetApp SAN Host Utilities for Windows
HighCVE-2025-48709: n/a
HighCVE-2025-47808: n/a
MediumCVE-2025-47807: n/a
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.