Cyber Resilience

CVE-2025-30402

High

Published: 11 July 2025

Published
11 July 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
EPSS Score 0.0043 62.9th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30402 is a high-severity an unspecified weakness vulnerability in Facebook (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 37.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-30402 is a heap-buffer-overflow vulnerability in the loading of ExecuTorch methods, which can cause the runtime to crash and potentially result in code execution or other undesirable effects. This issue affects ExecuTorch versions prior to commit 93b1a0c15f7eda49b2bc46b5b4c49557b4e9810f.

The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H), indicating network accessibility, low attack complexity, no required privileges, and user interaction. An attacker can exploit it by tricking a user into loading a malicious ExecuTorch method, potentially achieving high confidentiality impact through data disclosure and high availability impact via crashes or denial of service, with possible code execution.

Mitigation requires updating to ExecuTorch commit 93b1a0c15f7eda49b2bc46b5b4c49557b4e9810f or later, as provided in the referenced GitHub patch. Further details are available in the Facebook security advisory at https://www.facebook.com/security/advisories/cve-2025-30402.

EU & UK References

Vulnerability details

A heap-buffer-overflow vulnerability in the loading of ExecuTorch methods can cause the runtime to crash and potentially result in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit 93b1a0c15f7eda49b2bc46b5b4c49557b4e9810f

CWE(s)
None listed

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Heap buffer overflow in ExecuTorch method loading directly enables client-side code execution when a user processes a malicious input file.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

Affected Assets

Facebook
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely remediation of vulnerabilities like this heap-buffer-overflow by applying the vendor-provided patch to ExecuTorch commit 93b1a0c15f7eda49b2bc46b5b4c49557b4e9810f or later.

prevent

Implements memory protection mechanisms that directly counter heap buffer overflows by preventing unauthorized code execution from memory address errors during ExecuTorch method loading.

prevent

Validates information inputs such as ExecuTorch methods prior to loading to restrict malformed or oversized data that could trigger the heap buffer overflow.

References