| CARVIEW |
Select Language
HTTP/2 200
date: Thu, 31 Jul 2025 03:29:28 GMT
content-type: text/html; charset=utf-8
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With,Accept-Encoding, Accept, X-Requested-With
etag: W/"004fa0434262f50273ee006782056021"
cache-control: max-age=0, private, must-revalidate
strict-transport-security: max-age=31536000; includeSubdomains; preload
x-frame-options: deny
x-content-type-options: nosniff
x-xss-protection: 0
referrer-policy: origin-when-cross-origin, strict-origin-when-cross-origin
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com wss://alive-staging.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/
server: github.com
content-encoding: gzip
accept-ranges: bytes
set-cookie: _gh_sess=wNpW%2FSNxlyRGpYEr5%2BABkcX2EuBPS1Xb%2Fv2El6m7jeDpZx3nrE%2F1h3W7UDwukneNguNPg1gDQqcFwUxu6gW1toq9TkLwVJYTsLHC1YcFAjJcGirNbEGI86kKh919%2FpN0vU5mrUhCnIaa2ckL87Wb5IR3EZspSMKgmHd2kQ3iCkCEEOSfVUULx%2FZWlD6fJTacw8NAES%2B7TK%2BnlQi4F%2BC9RyLA9Q8SOygDaiUXrm7yrDCa351u8c4ew36Jr4nnsGSONRmhfsszN6maKEW%2B9mtYMw%3D%3D--ivGcmNu51kT3CaZL--F%2FE7VFQKVBp1iRHkyzbkqw%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: _octo=GH1.1.135326059.1753932568; Path=/; Domain=github.com; Expires=Fri, 31 Jul 2026 03:29:28 GMT; Secure; SameSite=Lax
set-cookie: logged_in=no; Path=/; Domain=github.com; Expires=Fri, 31 Jul 2026 03:29:28 GMT; HttpOnly; Secure; SameSite=Lax
x-github-request-id: E3CE:3C0FA8:1CD446:2A6667:688AE318
PyTorch vulnerable to arbitrary code execution · CVE-2022-45907 · GitHub Advisory Database · GitHub
Skip to content
Navigation Menu
CVE-2022-45907
{{ message }}
PyTorch vulnerable to arbitrary code execution
Critical severity
GitHub Reviewed
Published
Nov 26, 2022
to the GitHub Advisory Database
•
Updated Nov 13, 2024
Description
Published by the National Vulnerability Database
Nov 26, 2022
Published to the GitHub Advisory Database
Nov 26, 2022
Reviewed
Dec 2, 2022
Last updated
Nov 13, 2024
Severity
Critical
/ 10
CVSS v4 base metrics
Exploitability Metrics
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
None
User interaction
None
Vulnerable System Impact Metrics
Confidentiality
High
Integrity
High
Availability
High
Subsequent System Impact Metrics
Confidentiality
None
Integrity
None
Availability
None
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
EPSS score
(46th percentile)
Weaknesses
Weakness CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. Learn more on MITRE.CVE ID
CVE-2022-45907
GHSA ID
GHSA-47fc-vmwq-366v
Source code
Credits
-
WilliamsCJ Analyst
Loading
Checking history
See something to contribute?
Suggest improvements for this vulnerability.
You can’t perform that action at this time.
In PyTorch before trunk/89695, torch.jit.annotations.parse_type_line can cause arbitrary code execution because eval is used unsafely. The fix for this issue is available in version 1.13.1. There is a release checker in issue #89855.
References