We use cookies to improve your experience on our site.
AVID-2026-R1551
Description
Vulnerability CVE-2024-48063
Details
In PyTorch <=2.4.1, the RemoteModule has Deserialization RCE. NOTE: this is disputed by multiple parties because this is intended behavior in PyTorch distributed computing.
Reason for inclusion in AVID: CVE-2024-48063 describes a deserialization remote code execution vulnerability in PyTorch RemoteModule for versions <= 2.4.1. This is a security issue in a core AI framework (PyTorch) that is widely used to build, train, and deploy AI systems, including distributed AI workflows. It directly affects software components and runtimes in AI pipelines, representing a tangible vulnerability in the AI software supply chain. The report includes CVE entry and multiple references (NVD, GitHub issues, etc.), providing sufficient signals, despite some dispute over whether the behavior is intended. Therefore it qualifies as a supply-chain-relevant AI vulnerability.
References
- NVD entry
- https://rumbling-slice-eb0.notion.site/Distributed-RPC-Framework-RemoteModule-has-Deserialization-RCE-in-pytorch-pytorch-111e3cda9e8c8021a7d3cbc61ee1a20c
- https://gist.github.com/hexian2001/c046c066895a963ecc0a2cf9e1180065
- https://github.com/pytorch/pytorch/issues/129228
- https://github.com/pytorch/pytorch/security/policy#using-distributed-features
Affected or Relevant Artifacts
- Developer: n/a
- Deployer: n/a
- Artifact Details:
| Type | Name |
|---|---|
| System | n/a |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2024-10-29
- Version: 0.3.3
- AVID Entry