CVE-2025-2149 in PyTorch
Summary
by MITRE • 03/10/2025
A vulnerability was found in PyTorch 2.6.0+cu124. It has been rated as problematic. Affected by this issue is the function nnq_Sigmoid of the component Quantized Sigmoid Module. The manipulation of the argument scale/zero_point leads to improper initialization. The attack needs to be approached locally. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/23/2025
The vulnerability identified as CVE-2025-2149 represents a critical security flaw within the PyTorch deep learning framework version 2.6.0 with CUDA 124 support. This issue specifically targets the quantized sigmoid module functionality, which is a fundamental component in neural network implementations where floating-point operations are converted to lower precision formats for efficiency. The vulnerability manifests in the nnq_Sigmoid function, which handles the quantization process for sigmoid activation functions commonly used in various machine learning models.
The technical flaw stems from improper initialization of quantization parameters, specifically the scale and zero_point arguments that are essential for converting floating-point values to quantized representations. When these parameters are manipulated during the function execution, the quantization process fails to establish proper mapping between the original floating-point values and their quantized equivalents. This misconfiguration can lead to incorrect model behavior during inference or training phases, potentially causing significant computational errors that affect model accuracy and reliability. The vulnerability operates at the level of quantization parameters rather than core mathematical operations, making it particularly insidious as it affects the fundamental assumptions underlying quantized neural networks.
The operational impact of this vulnerability extends beyond simple computational errors to potentially compromise the integrity of machine learning models deployed in production environments. Local exploitation requires an attacker to have access to the system running the PyTorch application, which limits the attack surface but does not eliminate the risk entirely. The high complexity and difficulty of exploitation suggest that this vulnerability requires significant technical expertise to leverage effectively, potentially limiting its widespread use in automated attacks. However, the fact that exploitation techniques have been disclosed publicly means that sophisticated adversaries could potentially develop working exploits. The vulnerability affects quantized neural networks where sigmoid activation functions are used, which represents a substantial portion of modern deep learning applications, particularly those optimized for edge deployment or resource-constrained environments.
Mitigation strategies should focus on immediate patching of affected PyTorch installations to version 2.6.1 or later where the quantization parameter handling has been corrected. System administrators should also implement strict access controls and monitoring for systems running PyTorch applications, particularly those handling sensitive data or critical inference workloads. The vulnerability aligns with CWE-665 Improper Initialization and relates to ATT&CK technique T1059.001 Command and Scripting Interpreter for potential exploitation methods. Organizations should also consider implementing runtime validation of quantization parameters and conducting regular security audits of machine learning pipelines to detect any anomalous behavior that might indicate exploitation attempts. Additionally, developers should ensure that quantization parameters are properly validated before being passed to quantized module functions, and that proper error handling mechanisms are in place to prevent improper initialization from causing system-wide failures.