fix: update invalid PyTorch version 2.5.1 to valid 2.5.0 (#366)#375
fix: update invalid PyTorch version 2.5.1 to valid 2.5.0 (#366)#375moksha-hub wants to merge 1 commit intoAOSSIE-Org:mainfrom
Conversation
📝 WalkthroughWalkthroughA dependency version downgrade of torch from 2.5.1 to 2.5.0 in the requirements file. No other changes to the codebase or exported entities. Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In `@requirements.txt`:
- Line 1: The requirements file pins a vulnerable PyTorch release
("torch==2.5.0"); update that dependency to a secure version by replacing the
pinned version with "torch>=2.6.0" (preferably "torch==2.7.0" for a stable fixed
release) in the requirements.txt entry for torch, then run your dependency
install/tests to verify compatibility and adjust any code that depends on the
older API if needed.
| @@ -1,4 +1,4 @@ | |||
| torch==2.5.1 | |||
| torch==2.5.0 | |||
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
PyTorch 2.5.1 PyPI release version
💡 Result:
Short answer: PyTorch 2.5.1 is not published as the official torch wheel on PyPI (pip install torch==2.5.1 from pypi/simple will fail). See reports/issues. [1][3]
How to get 2.5.1: the project provides 2.5.1 wheels via the official PyTorch indexes and conda channels (pip --index-url https://download.pytorch.org/whl/... or conda install from the pytorch channel). [2]
Sources:
- Issue reporting pip can't find torch==2.5.1 on PyPI. [1]
- PyTorch “Previous versions” install instructions showing pip/conda install commands for 2.5.1 using download.pytorch.org / pytorch channels. [2]
- PyPI torch project pages (PyPI does not serve the full 2.5.1 torch wheel list). [3]
🌐 Web query:
PyTorch 2.5.0 security vulnerabilities CVE GHSA
💡 Result:
Short answer: PyTorch 2.5.0 is affected by the critical RCE reported as CVE-2025-32434 (GitHub GHSA-53q9-r3pm-6pq6) — the flaw lets a crafted model loaded with torch.load(weights_only=True) achieve remote code execution. The issue was fixed in PyTorch 2.6.0; upgrade to 2.6.0+ or avoid loading untrusted model files. [1][2][3]
Sources:
- PyTorch security advisory (GHSA-53q9-r3pm-6pq6). [1]
- NVD entry for CVE-2025-32434. [2]
- OSV / advisory database summary (shows affected ranges including 2.5.0 and fixed in 2.6.0). [3]
🌐 Web query:
torch.load weights_only RCE vulnerability GHSA-53q9-r3pm-6pq6
💡 Result:
Summary: GHSA-53q9-r3pm-6pq6 (CVE-2025-32434) is a critical remote code execution (RCE) in PyTorch where torch.load(..., weights_only=True) can still deserialize/execute malicious payloads. Affected versions: all torch <= 2.5.1. Fixed in PyTorch 2.6.0. Remediation: upgrade to torch 2.6.0+; do not load model files from untrusted sources; consider safetensors or other safe formats and validate model provenance. [1][2][3]
References
- GitHub advisory GHSA-53q9-r3pm-6pq6 (PyTorch): torch.load with weights_only=True RCE. [1]
- OSV / vulnerability entry (CVE-2025-32434) listing affected/patched versions. [2]
- NVD / CVE-2025-32434 summary. [3]
(If you want, I can give exact pip/conda upgrade commands, detection queries for dependency scanners, or mitigation code examples.)
🌐 Web query:
PyTorch latest stable version 2025
💡 Result:
The latest stable PyTorch (as of January 18, 2026) is PyTorch 2.7.0. [1][2]
Sources:
- PyTorch official site (Install page showing Stable = 2.7.0). [1]
- PyTorch versions wiki (PyTorch 2.7.0, released 04/23/2025). [2]
Downgrading to torch 2.5.0 introduces a critical remote code execution (RCE) vulnerability.
PyTorch 2.5.0 (and 2.5.1) are affected by GHSA-53q9-r3pm-6pq6 (CVE-2025-32434), which allows remote code execution through torch.load() even with weights_only=True. This vulnerability was fixed in PyTorch 2.6.0.
While PyTorch 2.5.1 does exist (available via download.pytorch.org and conda channels, though not on the standard PyPI index), it is also vulnerable to this RCE. Instead of downgrading, upgrade to torch 2.6.0 or later (preferably 2.7.0, the current stable release) to resolve the vulnerability.
🧰 Tools
🪛 OSV Scanner (2.3.2)
[CRITICAL] 1-1: torch 2.5.0: undefined
(PYSEC-2025-41)
[CRITICAL] 1-1: torch 2.5.0: PyTorch susceptible to local Denial of Service
[CRITICAL] 1-1: torch 2.5.0: PyTorch: torch.load with weights_only=True leads to remote code execution
[CRITICAL] 1-1: torch 2.5.0: PyTorch Improper Resource Shutdown or Release vulnerability
🤖 Prompt for AI Agents
In `@requirements.txt` at line 1, The requirements file pins a vulnerable PyTorch
release ("torch==2.5.0"); update that dependency to a secure version by
replacing the pinned version with "torch>=2.6.0" (preferably "torch==2.7.0" for
a stable fixed release) in the requirements.txt entry for torch, then run your
dependency install/tests to verify compatibility and adjust any code that
depends on the older API if needed.
1 participant
Summary by CodeRabbit
✏️ Tip: You can customize this high-level summary in your review settings.