CVE-2024-7804 Information

Description

A deserialization vulnerability exists in the Pytorch RPC framework (torch.distributed.rpc) in pytorch/pytorch versions <=2.3.1. The vulnerability arises from the lack of security verification during the deserialization process of PythonUDF objects in pytorch/torch/distributed/rpc/internal.py. This flaw allows an attacker to execute arbitrary code remotely by sending a malicious serialized PythonUDF object leading to remote code execution (RCE) on the master node.

Reference

https://huntr.com/bounties/0e870eeb-f924-4054-8fac-d926b1fb7259