Exploit for Deserialization of Untrusted Data in Linuxfoundation Pytorch CVE-2025-32434

Name: Exploit for Deserialization of Untrusted Data in Linuxfoundation Pytorch CVE-2025-32434
Rating: 5 (7 reviews)
2026-06-30 | CVSS 9.8
## https://sploitus.com/exploit?id=92E0F5A6-B490-5FEF-A0B3-BA19F1325726
# CVE-2025-32434: PyTorch RCE Vulnerability - PoC

## What is CVE-2025-32434?

**CVE-2025-32434** is a critical Remote Code Execution (RCE) vulnerability in PyTorch, a widely used Python library for deep learning and neural networks.

### The Core Problem

The vulnerability exists in the `torch.load()` function, even when the supposedly safe `weights_only=True` parameter is used. The `weights_only=True` option was designed to prevent code execution by restricting loading to model parameters only. However, researchers found a way to bypass this protection.

### Affected Versions

| Status | Version |
|--------|---------|
| **Vulnerable** | PyTorch 2.5.1 and all earlier versions |
| **Fixed** | PyTorch 2.6.0 and later |

### Severity

- **CVSS Score**: **9.8 out of 10** (CRITICAL)
- **Discovery**: Ji'an Zhou (presented at Black Hat USA 2025)
- **Impact**: Unauthenticated attacker can execute arbitrary code when a malicious model is loaded
- **User Interaction**: None required

### Technical Impact

An unauthenticated attacker can create a malicious model file that executes arbitrary code when loaded by a victim. The attack requires no user interaction and can lead to full system compromise. The vulnerability exploits how PyTorch uses Python's `pickle` serialization, allowing attackers to embed malicious code in model files.

### The Danger

This vulnerability is particularly dangerous because many developers rely on `weights_only=True` as a security measure, but this vulnerability proves that even the "safe" option is not sufficient.

---

## How the PoC Works

The provided `full.py` script demonstrates how to create a malicious PyTorch model that writes to a file system when loaded.

### Attack Flow

1. **Payload Creation**: The script generates a cron entry containing a reverse shell payload
2. **ASCII Conversion**: Converts the payload string to a list of ASCII codes
3. **Memory Mapping**: Uses `torch.from_file()` to create a memory-mapped tensor pointing to the target cron file
4. **Data Writing**: Copies the ASCII values into the memory-mapped region, effectively writing to the file
5. **Model Serialization**: Saves the operation as a TorchScript model
6. **Execution**: When loaded and executed, the model writes the payload to the target file

### Code Example

```python
# Memory-mapped file writing
t = torch.from_file("/etc/cron.d/rev", 
                    shared=True, 
                    size=len(asciis), 
                    dtype=torch.uint8)
msg = torch.tensor(asciis, dtype=torch.uint8)
t.copy_(msg)  # Writes to /etc/cron.d/rev
```

# CVE-2025-32434 PoC - User Guide

## How to Use This Proof of Concept

This guide provides step-by-step instructions on how to use the CVE-2025-32434 proof of concept (PoC) script.

---

## Prerequisites

Before you begin, make sure you have:
- **PyTorch 2.5.1 or earlier** (vulnerable version) installed

### Install PyTorch

```bash
# Install PyTorch (vulnerable version for testing)
pip install torch==2.5.1
```
# Or install latest (for testing the fix)
``` bash
pip install torch
```