CVE-2024-7804: Withdrawn Advisory: PyTorch deserialization vulnerability

March 20, 2025 (updated April 2, 2025)

Withdrawn Advisory

This advisory has been withdrawn because it describes known functionality of PyTorch. This link is maintained to preserve external references.

Original Description

A deserialization vulnerability exists in the Pytorch RPC framework (torch.distributed.rpc) in pytorch/pytorch versions <=2.3.1. The vulnerability arises from the lack of security verification during the deserialization process of PythonUDF objects in pytorch/torch/distributed/rpc/internal.py. This flaw allows an attacker to execute arbitrary code remotely by sending a malicious serialized PythonUDF object, leading to remote code execution (RCE) on the master node.

References

Code Behaviors & Features

Detect and mitigate CVE-2024-7804 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →