CVE-2025-65213

CriticalPublic PoC

Published: 15 December 2025

Published

15 December 2025

Modified

07 January 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0092 76.0th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

MooreThreads torch_musa through all versions contains an unsafe deserialization vulnerability in torch_musa.utils.compare_tool. The compare_for_single_op() and nan_inf_track_for_single_op() functions use pickle.load() on user-controlled file paths without validation, allowing arbitrary code execution. An attacker can craft a malicious pickle file that executes arbitrary…

Python code when loaded, enabling remote code execution with the privileges of the victim process.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation of user-controlled file inputs before deserialization with pickle.load(), directly preventing arbitrary code execution from malicious files.

SI-2 Flaw Remediation good match

prevent

Mandates identification, reporting, and correction of the unsafe deserialization flaw in torch_musa, eliminating the vulnerability through timely patching.

SI-7 Software, Firmware, and Information Integrity partial match

preventdetect

Provides integrity checks on software and information to detect or prevent malicious code execution resulting from unsafe deserialization.

Security SummaryAI

CVE-2025-65213 is an unsafe deserialization vulnerability affecting all versions of MooreThreads torch_musa, specifically in the torch_musa.utils.compare_tool module. The functions compare_for_single_op() and nan_inf_track_for_single_op() use pickle.load() to deserialize data from user-controlled file paths without any validation. This flaw, classified under CWE-502, enables arbitrary code execution when a malicious pickle file is loaded, as scored at CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The vulnerability was published on 2025-12-15.

An attacker can exploit this vulnerability remotely without authentication or user interaction by crafting a malicious pickle file containing arbitrary Python code. If a victim process running torch_musa loads the file via the affected functions—such as during comparison or tracking operations—the embedded code executes with the privileges of the victim process, resulting in remote code execution (RCE). This allows full compromise of the host, including data theft, persistence, or further lateral movement.

For mitigation details, refer to the vendor discussion at https://github.com/MooreThreads/torch_musa/issues/110#issuecomment-3475809588.

This vulnerability is particularly relevant to AI/ML workflows, as torch_musa extends PyTorch for MooreThreads hardware acceleration, potentially exposing machine learning development and inference environments to supply-chain risks. No real-world exploitation has been reported in available data.

Details

CWE(s): CWE-502

Affected Products

mthreads

torch musa

all versions

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Unsafe deserialization via pickle.load() from user-controlled paths enables remote code execution without authentication or interaction, directly mapping to exploitation of a public-facing application vulnerability.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/MooreThreads/torch_musa/issues/110#issuecomment-3475809588
Exploit, Issue Tracking · cve@mitre.org