CVE-2025-2148 (Medium) detected in torch-2.5.1-cp39-none-macosx_11_0_arm64.whl #463
Labels
Comments
mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
|
This vulnerability also existed in previous versions of Torch. We’ve upgraded to the latest version, but the issue is still present. I’m going to close this for now—feel free to reopen if needed. |
|
@Yerzhaisang can't we upgrade the torch version? |
|
@dhrubo-os I think it's done here |
|
Thanks for the reference. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2025-2148 - Medium Severity Vulnerability
Tensors and Dynamic neural networks in Python with strong GPU acceleration
Library home page: https://files.pythonhosted.org/packages/25/07/3548a7cfcf69d0eccec2ee79ee3913f1cdaadb27b36946774db86729ee47/torch-2.5.1-cp39-none-macosx_11_0_arm64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: fca546cb0c3befa8a2ea52909690f598c18df050
Found in base branch: main
A vulnerability was found in PyTorch 2.6.0+cu124. It has been declared as critical. Affected by this vulnerability is the function torch.ops.profiler._call_end_callbacks_on_jit_fut of the component Tuple Handler. The manipulation of the argument None leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult.
Publish Date: 2025-03-10
URL: CVE-2025-2148
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.The text was updated successfully, but these errors were encountered: