- Notifications
You must be signed in to change notification settings - Fork6.6k
chore(deps): update dependency torch to v2.7.1 [security]#13405
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
base:main
Are you sure you want to change the base?
chore(deps): update dependency torch to v2.7.1 [security]#13405
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Hello@renovate-bot, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!
Summary of Changes
Hello team, gemini-code-assist here to provide a summary of this pull request. This PR, opened by renovate-bot, aims to update thetorch dependency in thedataflow/run-inference/requirements.txt file. The primary motivation for this update is to address recently disclosed security vulnerabilities in older versions oftorch, specificallyCVE-2025-32434 (a Remote Command Execution vulnerability) andCVE-2025-2953 (a Denial of Service vulnerability). The PR updates the version from2.2.2 to2.7.1 to incorporate the necessary security fixes.
Highlights
- Security Fixes: This update is crucial as it includes fixes for significant security vulnerabilities (CVE-2025-32434 andCVE-2025-2953) found in previous versions of
torch.
Changelog
- dataflow/run-inference/requirements.txt
- Updated the
torchdependency from version2.2.2to2.7.1.
- Updated the
Using Gemini Code Assist
The full guide for Gemini Code Assist can be found on ourdocumentation page, here are some quick tips.
Invoking Gemini
You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either/gemini <command> or@gemini-code-assist <command>. Below is a summary of the supported commands.
| Feature | Command | Description |
|---|---|---|
| Code Review | /gemini review | Performs a code review for the current pull request in its current state. |
| Pull Request Summary | /gemini summary | Provides a summary of the current pull request in its current state. |
| Comment | @gemini-code-assist | Responds in comments when explicitly tagged, both in issue comments and review comments. |
| Help | /gemini help | Displays a list of available commands. |
Customization
To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a.gemini/ folder in the base of the repository. Detailed instructions can be foundhere.
Limitations & Feedback
Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on@gemini-code-assist comments to provide feedback.
You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with theGemini Code Assist IDE Extension.
Dependency update,
Fixing bugs, making code safe,
Security patch.
Footnotes
Review thePrivacy Notices,Generative AI Prohibited Use Policy,Terms of Service, and learn how to configure Gemini Code Assist in GitHubhere. Gemini can make mistakes, so double check it anduse code with caution.↩
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Code Review
This pull request updates thetorch dependency from version2.2.2 to2.7.1. This is an important update as it addresses two security vulnerabilities:CVE-2025-32434 (Remote Command Execution intorch.load) andCVE-2025-2953 (Denial of Service intorch.mkldnn_max_pool2d).
The change is confined to therequirements.txt file and correctly updates the version string. The Renovate bot's compatibility checks indicate that this new version should be compatible with the existing dependencies, which is reassuring.
Given the security implications of the oldertorch version, this update is highly recommended. The code inmain.py (via Apache Beam'sPytorchModelHandlerTensor) anddownload_model.py involves model loading and saving, so ensuring PyTorch is up-to-date with security patches is crucial.
Overall, this is a beneficial and necessary update.
Summary of Findings
- Security Vulnerability Remediation: The primary purpose of this PR is to update
torchto v2.7.1, which addresses critical security vulnerabilities (CVE-2025-32434 andCVE-2025-2953) present in the previous version (v2.2.2). This is a crucial improvement for the security posture of the application. - Dependency Update: The
torchdependency has been updated from2.2.2to2.7.1indataflow/run-inference/requirements.txt. This change is correctly implemented.
Merge Readiness
This pull request directly addresses known security vulnerabilities by updating thetorch library. The change is minimal and appears to be compatible according to automated checks. I recommend merging this PR to enhance the security of the project. As I am an AI assistant, I am not authorized to approve pull requests; please ensure it undergoes any further necessary human review and testing procedures before merging.
8976e2a to54dff54Compare54dff54 toc3c3982Comparec3c3982 to6fd487dCompare6fd487d to5010020Compare5010020 toc062b4aComparec062b4a to9e87ef8Compare9e87ef8 to289f877Comparecae94c2 to481b810Compare481b810 tofd61294Comparefd61294 to5477d17Compare5477d17 to692cd95Compare692cd95 tod627c37Compared627c37 to6e93dcaCompare6e93dca to25e36d0Compare25e36d0 to4b1a6edCompare4b1a6ed tod49cc21Compare
Uh oh!
There was an error while loading.Please reload this page.
This PR contains the following updates:
==2.2.2->==2.7.1Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
CVE-2025-32434
Description
I found a Remote Command Execution (RCE) vulnerability in PyTorch. When loading model using torch.load with weights_only=True, it can still achieve RCE.
Background knowledge
https://github.com/pytorch/pytorch/security
As you can see, the PyTorch official documentation considers using
torch.load()withweights_only=Trueto be safe.Since everyone knows that weights_only=False is unsafe, so they will use the weights_only=True to mitigate the seucirty issue.
But now, I just proved that even if you use weights_only=True, it can still achieve RCE.
Credit
This vulnerability was found by Ji'an Zhou.
CVE-2025-2953
A vulnerability, which was classified as problematic, has been found in PyTorch 2.6.0+cu124. Affected by this issue is the function torch.mkldnn_max_pool2d. The manipulation leads to denial of service. An attack has to be approached locally. The exploit has been disclosed to the public and may be used.
Configuration
📅Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻Rebasing: Never, or you tick the rebase/retry checkbox.
🔕Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated byMend Renovate. View therepository job log.