Login Sign Up

CVE-2024-48063

9.8 CRITICAL
Remote Code Execution Deserialization

📋 TL;DR

This vulnerability allows remote code execution through deserialization in PyTorch's RemoteModule feature. It affects users running PyTorch distributed computing with RemoteModule enabled. The vulnerability is disputed as intended behavior for distributed computing functionality.

💻 Affected Systems

Products:
  • PyTorch
Versions: <=2.4.1
Operating Systems: All
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when using PyTorch's distributed RemoteModule feature. Standard PyTorch installations without distributed computing are not affected.

📦 What is this software?

Pytorch by Linuxfoundation

View all CVEs affecting Pytorch →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attacker to execute arbitrary code with the privileges of the PyTorch process, potentially leading to data theft, system takeover, or lateral movement.

🟠

Likely Case

Limited impact in controlled environments where RemoteModule is used only between trusted nodes, but could lead to RCE if untrusted nodes are allowed to connect.

🟢

If Mitigated

Minimal impact when proper network segmentation and authentication controls are implemented between distributed nodes.

🌐 Internet-Facing: LOW - RemoteModule is typically used in internal distributed computing environments, not exposed to the internet.
🏢 Internal Only: HIGH - If internal nodes are compromised or untrusted nodes can connect, this provides a path for lateral movement and privilege escalation.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires network access to the RemoteModule endpoint. The vulnerability is disputed as intended behavior for distributed computing where nodes must be trusted.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: https://github.com/pytorch/pytorch/security/policy#using-distributed-features

Restart Required: No

Instructions:

No official patch as this is disputed behavior. Follow PyTorch security guidance for distributed features.

🔧 Temporary Workarounds

Disable RemoteModule

all

Avoid using RemoteModule feature in distributed PyTorch applications

Network Segmentation

all

Restrict network access to PyTorch distributed nodes to trusted sources only

🧯 If You Can't Patch

  • Implement strict network controls allowing only trusted nodes to connect to PyTorch distributed services
  • Use authentication and encryption for all distributed PyTorch communications

🔍 How to Verify

Check if Vulnerable:

Check if using PyTorch <=2.4.1 with RemoteModule feature enabled in distributed applications

Check Version:

python -c "import torch; print(torch.__version__)"

Verify Fix Applied:

Verify distributed nodes only communicate with trusted endpoints and RemoteModule is not used with untrusted sources

📡 Detection & Monitoring

Log Indicators:

  • Unusual connections to PyTorch distributed ports
  • Errors in PyTorch distributed module logs

Network Indicators:

  • Unexpected traffic to PyTorch distributed RPC ports (default 29500)

SIEM Query:

destination_port:29500 AND NOT source_ip IN [trusted_node_ips]

📊 Metadata

CVE ID: CVE-2024-48063
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-502
Published: October 29, 2024
Last Updated: July 16, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-48063, you might also want to check these:

CVE-2023-46604 10.0

CVE-2023-46604 is a critical remote code execution vulnerability in Apache ActiveMQ's Java OpenWire ...

Same vulnerability type (CWE-502)
CVE-2023-49772 10.0

This vulnerability allows unauthenticated attackers to execute arbitrary PHP code through deserializ...

Same vulnerability type (CWE-502)
CVE-2024-25100 10.0

This vulnerability allows unauthenticated attackers to inject malicious PHP objects via deserializat...

Same vulnerability type (CWE-502)