CVE-2025-30402
Published: 11 July 2025
Summary
CVE-2025-30402 is a high-severity an unspecified weakness vulnerability in Facebook (inferred from references). Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 37.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-30402 is a heap-buffer-overflow vulnerability in the loading of ExecuTorch methods, which can cause the runtime to crash and potentially result in code execution or other undesirable effects. This issue affects ExecuTorch versions prior to commit 93b1a0c15f7eda49b2bc46b5b4c49557b4e9810f.
The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H), indicating network accessibility, low attack complexity, no required privileges, and user interaction. An attacker can exploit it by tricking a user into loading a malicious ExecuTorch method, potentially achieving high confidentiality impact through data disclosure and high availability impact via crashes or denial of service, with possible code execution.
Mitigation requires updating to ExecuTorch commit 93b1a0c15f7eda49b2bc46b5b4c49557b4e9810f or later, as provided in the referenced GitHub patch. Further details are available in the Facebook security advisory at https://www.facebook.com/security/advisories/cve-2025-30402.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-21177
Vulnerability details
A heap-buffer-overflow vulnerability in the loading of ExecuTorch methods can cause the runtime to crash and potentially result in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit 93b1a0c15f7eda49b2bc46b5b4c49557b4e9810f
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap buffer overflow in ExecuTorch method loading directly enables client-side code execution when a user processes a malicious input file.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates timely remediation of vulnerabilities like this heap-buffer-overflow by applying the vendor-provided patch to ExecuTorch commit 93b1a0c15f7eda49b2bc46b5b4c49557b4e9810f or later.
Implements memory protection mechanisms that directly counter heap buffer overflows by preventing unauthorized code execution from memory address errors during ExecuTorch method loading.
Validates information inputs such as ExecuTorch methods prior to loading to restrict malformed or oversized data that could trigger the heap buffer overflow.