CVE-2025-55554 in PyTorchinfo

Summary

by MITRE • 09/25/2025

pytorch v2.8.0 was discovered to contain an integer overflow in the component torch.nan_to_num-.long().

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 09/30/2025

The vulnerability identified as CVE-2025-55554 affects pytorch version 2.8.0 and stems from an integer overflow condition within the torch.nan_to_num-.long() component. This issue represents a critical security flaw that can potentially lead to unpredictable behavior and system instability when processing numerical data containing NaN values. The integer overflow occurs during the conversion of floating-point numbers to long integers within the nan_to_num function, which is designed to replace NaN values with specified numbers and handle infinite values appropriately. The vulnerability manifests when the function processes inputs that cause arithmetic operations to exceed the maximum representable value for the target integer type, creating conditions where the program may behave erratically or crash. This flaw impacts any application or system utilizing pytorch 2.8.0 that employs the nan_to_num function with long integer conversions, particularly in scenarios involving large datasets or extreme numerical values. The integer overflow can potentially be exploited to cause denial of service conditions or, in more sophisticated attack scenarios, could enable arbitrary code execution depending on how the affected code paths are utilized within larger applications. This vulnerability aligns with CWE-190, which specifically addresses integer overflow conditions that occur during arithmetic operations, and represents a significant concern for machine learning environments where numerical stability and predictable behavior are paramount. The issue is particularly concerning in production systems where pytorch is used for data processing pipelines that may encounter unexpected numerical inputs or edge cases in their data streams. The operational impact extends beyond simple crashes to include potential data corruption or incorrect computational results when the overflow condition affects the internal state of numerical computations. Security researchers have identified this as a high-risk vulnerability due to the potential for exploitation in environments where pytorch is integrated with other systems or used in automated processing workflows. Organizations utilizing pytorch 2.8.0 should immediately assess their use of the nan_to_num function and implement mitigation strategies to prevent exploitation. The ATT&CK framework categorizes this vulnerability under privilege escalation and denial of service tactics, as it can potentially allow attackers to disrupt service availability or manipulate computational results through carefully crafted numerical inputs. The vulnerability's impact is amplified in machine learning environments where large-scale numerical computations are common, making it a significant concern for data science and artificial intelligence applications. Mitigation efforts should focus on upgrading to patched versions of pytorch, implementing input validation to prevent extreme numerical values from reaching the vulnerable function, and monitoring system behavior for signs of overflow conditions. Additionally, developers should consider implementing defensive programming practices such as bounds checking and overflow detection mechanisms when working with numerical data processing functions. The integer overflow in torch.nan_to_num-.long() represents a fundamental flaw in how the library handles numerical edge cases, highlighting the importance of rigorous testing for numerical stability in mathematical computing libraries. This vulnerability demonstrates the critical need for comprehensive security testing of mathematical and numerical computing components, as these libraries often form the backbone of scientific computing and machine learning applications where reliability is essential. Organizations should also consider implementing automated testing procedures that specifically target numerical edge cases to prevent similar vulnerabilities from being introduced in future releases or custom implementations of similar functionality.

Responsible

MITRE

Reservation

08/13/2025

Disclosure

09/25/2025

Moderation

accepted

CPE

ready

EPSS

0.00294

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!