1 High-Security vulnerability found in Black Duck scan

Hello!

I’m using PyTorch on a project that uses pre-trained AI models. The previous version was 2.2.2, so I updated to version 2.4.1 (current) due to the Black Duck scan reporting that the library was a high-security risk, due to a vulnerability found in the software. Even with the update, the vulnerability still exists.

" Description
PyTorch is vulnerable to remote code execution (RCE) via command injection within the torch.distributed.rpc framework. An attacker could exploit this in order to remotely attack master nodes that are starting distributed training."

Is there any action that can be taken to mitigate this security vulnerability?

Do you have a CVE number by any chance? I’ve found NVD - CVE-2024-5480 which were rejected, may be due to pytorch/SECURITY.md at main · pytorch/pytorch · GitHub (i.e. PyTorch is vulnerable on RCE only if one uses distribtued features, which should only be used in trusted environment)

Hi malfet,

It is exactly this CVE that Black Duck is complaining about, but the related code is from the software itself BDSA-2024-3458.

Black Duck scan full report

as Nikita mentioned, torch.distributed features should only be used in a trusted environment (as covered in SECURITY.md), so while Black Duck is doing its job, if you are in a trusted environment, you can just use it as-is.

Indeed.

I added a comment mentioning this discussion and the SECURITY.md to the code alert and the Black Duck Rollout team removed the security risk flag from the PyTorch package.

Thanks!