"Critical PyTorch Vulnerability Can Lead to Sensitive AI Data Theft"
Security researchers at Huntr discovered a critical-severity vulnerability in the PyTorch machine learning library that could be exploited for remote code execution. The vulnerability CVE-2024-5480 impacts the distributed RPC (Remote Procedure Call) framework of PyTorch. The researchers said that the issue exists because the framework does not verify the functions called during RPC operations. The framework is used in distributed training scenarios and the flaw can be exploited for arbitrary command execution during multi-cpu RPC communication, by abusing built-in Python functions. CVE-2024-5480, which has been assessed with a CVSS score of 10, was reported on April 12 and impacts PyTorch version 2.2.2 and prior. The latest iteration of the machine learning library is currently version 2.3.1.
SecurityWeek reports: "Critical PyTorch Vulnerability Can Lead to Sensitive AI Data Theft"