CVE-2025-65213
📋 TL;DR
This CVE describes a critical remote code execution vulnerability in MooreThreads torch_musa where unsafe deserialization via pickle.load() allows arbitrary Python code execution. Attackers can exploit this by crafting malicious pickle files that execute when loaded by vulnerable functions. All users of torch_musa are affected regardless of version.
💻 Affected Systems
- MooreThreads torch_musa
📦 What is this software?
Torch Musa by Mthreads
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining the same privileges as the torch_musa process, potentially leading to data theft, ransomware deployment, or lateral movement.
Likely Case
Remote code execution allowing attackers to execute arbitrary commands, install malware, or exfiltrate sensitive data from affected systems.
If Mitigated
Limited impact if proper network segmentation, least privilege, and input validation are implemented, though the vulnerability remains exploitable.
🎯 Exploit Status
Exploitation requires attacker to control file paths passed to vulnerable functions, but pickle deserialization vulnerabilities are well-understood and easily weaponized.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: https://github.com/MooreThreads/torch_musa/issues/110#issuecomment-3475809588
Restart Required: No
Instructions:
No official patch available. Monitor the GitHub issue for updates and apply any future patches immediately.
🔧 Temporary Workarounds
Disable vulnerable functions
allRemove or disable access to compare_for_single_op() and nan_inf_track_for_single_op() functions
# Modify torch_musa source to comment out or remove vulnerable functions
# Or implement wrapper functions that validate inputs before calling pickle.load()
Implement input validation
allAdd strict validation of file paths and content before deserialization
# Add file signature validation before pickle.load()
# Implement allowlisting of trusted file sources
# Use safer serialization formats like JSON instead of pickle
🧯 If You Can't Patch
- Isolate affected systems in network segments with strict egress filtering
- Implement application allowlisting to prevent execution of unauthorized code
🔍 How to Verify
Check if Vulnerable:
Check if your code imports torch_musa.utils.compare_tool and calls compare_for_single_op() or nan_inf_track_for_single_op() with user-controlled inputsCheck Version:
python -c "import torch_musa; print(torch_musa.__version__)"Verify Fix Applied:
Test that pickle.load() is no longer called with untrusted inputs in the vulnerable functions📡 Detection & Monitoring
Log Indicators:
- Unusual Python process spawning
- Pickle deserialization errors
- File access to unexpected pickle files
Network Indicators:
- Outbound connections from torch_musa processes to unexpected destinations
- Data exfiltration patterns
SIEM Query:
process_name: "python" AND command_line: "*torch_musa*" AND (command_line: "*pickle*" OR command_line: "*compare_for_single_op*" OR command_line: "*nan_inf_track_for_single_op*")