CVE-2025-32434: PyTorch's "safe" model loading flag isn't safe

The assumption that broke For years, the PyTorch documentation said this: Use weights_only=True to avoid arbitrary code execution when loading untrusted models. That assumption is now broken. CVE-2025-32434 was published on April 17, 2025. CVSS score: 9.3 (Critical). Researcher Ji'an Zhou demonstrated that torch.load() with weights_only=True can still achieve remote code execution on PyTorch versions ≤ 2.5.1. If your team loads models from Hugging Face, TorchHub, or any community repository, and you haven't updated to PyTorch 2.6.0, you are exposed. How the attack works PyTorch uses Python's pickle format to serialize model weights. The weights_only=True parameter was designed to restrict deserialization to safe types only — tensors, primitives, basic containers. Zhou demonstrated that an attacker can craft a model file that exploits inconsistencies in PyTorch's serialization validation to bypass these restrictions entirely. When a victim loads the malicious model, arbitrary code execu