Improper Initialization in PyTorch's Quantized Sigmoid Module
CVE-2025-2149

2LOW

Key Information:

Vendor
PyTorch
Status
Pytorch
Vendor
CVE Published:
10 March 2025

Badges

👾 Exploit Exists🟡 Public PoC

Summary

A vulnerability has been identified in PyTorch, specifically within the nnq_Sigmoid function of the Quantized Sigmoid Module. This issue arises due to improper initialization stemming from manipulated arguments related to scale and zero_point. Although the attack is categorized as local, the complexity involved in exploiting the vulnerability is notably high. Despite the challenges, public disclosure of the exploit may pose risks, warranting increased attention from developers and users of PyTorch. The inconsistency between the implementation and documented design further underscores the necessity for prompt remediation to maintain system integrity.

Affected Version(s)

PyTorch 2.6.0+cu124

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-2149 - Proof of Concept

References

https://vuldb.com/?id.299060
vdb-entrytechnical-description
https://vuldb.com/?ctiid.299060
signaturepermissions-required
https://vuldb.com/?submit.506563
third-party-advisory

CVSS V4

Score:
2
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Local
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Default436352 (VulDB User)
.