PyTorch: Manipulation of the argument scale/zero_point leads to improper initialization via Quantized Sigmoid Module

GHSA-x3gm-94wq-g975 · BIT-pytorch-2025-2149 · CVE-2025-2149 · PYSEC-2025-190

Published Mar 10, 2025 · Modified Jun 9, 2026

Description

A vulnerability was found in PyTorch 2.6.0+cu124. It has been rated as problematic. Affected by this issue is the function nnq_Sigmoid of the component Quantized Sigmoid Module. The manipulation of the argument scale/zero_point leads to improper initialization. The attack needs to be approached locally. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-2149
WEB https://github.com/pytorch/pytorch/issues/147818
WEB https://github.com/pytorch/pytorch/issues/147818#issue-2877301660
WEB https://github.com/pypa/advisory-database/tree/main/vulns/torch/PYSEC-2025-190.yaml
PACKAGE https://github.com/pytorch/pytorch
WEB https://vuldb.com/?ctiid.299060
WEB https://vuldb.com/?id.299060
WEB https://vuldb.com/?submit.506563

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes