CVE-2025-65213
Published: 15 December 2025
Summary
CVE-2025-65213 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Mthreads Torch Musa. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 21.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-65213 is an unsafe deserialization vulnerability affecting all versions of MooreThreads torch_musa, specifically in the torch_musa.utils.compare_tool module. The functions compare_for_single_op() and nan_inf_track_for_single_op() use pickle.load() to deserialize data from user-controlled file paths without any validation. This flaw, classified under CWE-502, enables arbitrary code execution when a malicious pickle file is loaded, as scored at CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The vulnerability was published on 2025-12-15.
An attacker can exploit this vulnerability remotely without authentication or user interaction by crafting a malicious pickle file containing arbitrary Python code. If a victim process running torch_musa loads the file via the affected functions—such as during comparison or tracking operations—the embedded code executes with the privileges of the victim process, resulting in remote code execution (RCE). This allows full compromise of the host, including data theft, persistence, or further lateral movement.
For mitigation details, refer to the vendor discussion at https://github.com/MooreThreads/torch_musa/issues/110#issuecomment-3475809588.
This vulnerability is particularly relevant to AI/ML workflows, as torch_musa extends PyTorch for MooreThreads hardware acceleration, potentially exposing machine learning development and inference environments to supply-chain risks. No real-world exploitation has been reported in available data.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-203406
Vulnerability details
MooreThreads torch_musa through all versions contains an unsafe deserialization vulnerability in torch_musa.utils.compare_tool. The compare_for_single_op() and nan_inf_track_for_single_op() functions use pickle.load() on user-controlled file paths without validation, allowing arbitrary code execution. An attacker can craft a malicious pickle file that executes arbitrary…
more
Python code when loaded, enabling remote code execution with the privileges of the victim process.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unsafe deserialization via pickle.load() from user-controlled paths enables remote code execution without authentication or interaction, directly mapping to exploitation of a public-facing application vulnerability.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of user-controlled file inputs before deserialization with pickle.load(), directly preventing arbitrary code execution from malicious files.
Mandates identification, reporting, and correction of the unsafe deserialization flaw in torch_musa, eliminating the vulnerability through timely patching.
Provides integrity checks on software and information to detect or prevent malicious code execution resulting from unsafe deserialization.