PyTorch: `torch.load` with `weights_only=True` leads to remote code execution
I found a Remote Command Execution (RCE) vulnerability in PyTorch. When loading model using torch.load with weights_only=True, it can still achieve RCE.
Advisories for Pypi/Pytorch package
2025