CVE-2025-50461
BaseFortify
Publication date: 2025-08-19
Last updated on: 2025-08-20
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pytorch | pytorch | * |
| volcengine | verl | 3.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a deserialization flaw in Volcengine's verl version 3.0.0 and earlier, specifically in the scripts/model_merger.py script when using the "fsdp" backend. The script calls torch.load() with weights_only=False on user-supplied .pt model files. Because of this, an attacker can craft a malicious PyTorch model file that, when loaded, executes arbitrary code on the victim's system with the privileges of the user running the script. The attack involves convincing a victim to download and place a malicious model file with a specific filename pattern in a local directory, which the script then loads unsafely. [2]
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary code execution on your system with the same privileges as the user running the vulnerable script. An attacker can exploit this by tricking you into loading a malicious model file, potentially allowing them to execute any code, such as creating files, modifying data, or taking control of your system processes. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking for the presence of malicious .pt files named with the pattern 'model_world_size_{world_size}_rank_{rank}.pt' in directories used by the vulnerable script. Additionally, monitoring for unexpected directory creations like 'HACKED!' could indicate exploitation. To verify if your system is vulnerable, check the version of PyTorch (should be earlier than 2.6.0) and inspect the script 'scripts/model_merger.py' for calls to torch.load() without 'weights_only=True'. Example commands: 1) Find suspicious model files: `find /path/to/models -name 'model_world_size_*_rank_*.pt'` 2) Check PyTorch version: `python -c 'import torch; print(torch.__version__)'` 3) Search for vulnerable code usage: `grep -A 5 'torch.load' scripts/model_merger.py` [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Upgrade PyTorch to version 2.6.0 or later, which changes the default behavior of torch.load() to weights_only=True, reducing deserialization risks. 2) Modify the vulnerable script to explicitly call torch.load() with weights_only=True. 3) Validate and authenticate all model files before loading them to ensure they are not maliciously crafted. 4) Educate users to avoid loading models from untrusted sources. 5) Remove any suspicious or untrusted .pt files matching the vulnerable filename pattern from your system. [2]