2353598 – (CVE-2024-7804) CVE-2024-7804 pytorch: Deserialization of Untrusted Data in pytorch/pytorch

Bug 2353598 (CVE-2024-7804) - CVE-2024-7804 pytorch: Deserialization of Untrusted Data in pytorch/pytorch

Summary: CVE-2024-7804 pytorch: Deserialization of Untrusted Data in pytorch/pytorch

Keywords:
Status:	NEW
Alias:	CVE-2024-7804
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2354566
Blocks:
TreeView+	depends on / blocked

Reported:	2025-03-20 11:03 UTC by OSIDB Bzimport
Modified:	2025-06-18 10:14 UTC (History)
CC List:	15 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-03-20 11:03:45 UTC

A deserialization vulnerability exists in the Pytorch RPC framework (torch.distributed.rpc) in pytorch/pytorch versions <=2.3.1. The vulnerability arises from the lack of security verification during the deserialization process of PythonUDF objects in pytorch/torch/distributed/rpc/internal.py. This flaw allows an attacker to execute arbitrary code remotely by sending a malicious serialized PythonUDF object, leading to remote code execution (RCE) on the master node.

Note You need to log in before you can comment on or make changes to this bug.