chore(deps): update dependency torch [security] #13405
Conversation
There was a problem hiding this comment.
Hello @renovate-bot, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!
Summary of Changes
Hello team, gemini-code-assist here to provide a summary of this pull request. This PR, opened by renovate-bot, aims to update the torch dependency in the dataflow/run-inference/requirements.txt file. The primary motivation for this update is to address recently disclosed security vulnerabilities in older versions of torch, specifically CVE-2025-32434 (a Remote Command Execution vulnerability) and CVE-2025-2953 (a Denial of Service vulnerability). The PR updates the version from 2.2.2 to 2.7.1 to incorporate the necessary security fixes.
Highlights
- Security Fixes: This update is crucial as it includes fixes for significant security vulnerabilities (CVE-2025-32434 and CVE-2025-2953) found in previous versions of
torch.
Changelog
- dataflow/run-inference/requirements.txt
- Updated the
torchdependency from version2.2.2to2.7.1.
- Updated the
Using Gemini Code Assist
The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.
Invoking Gemini
You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.
| Feature | Command | Description |
|---|---|---|
| Code Review | /gemini review |
Performs a code review for the current pull request in its current state. |
| Pull Request Summary | /gemini summary |
Provides a summary of the current pull request in its current state. |
| Comment | @gemini-code-assist | Responds in comments when explicitly tagged, both in issue comments and review comments. |
| Help | /gemini help |
Displays a list of available commands. |
Customization
To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.
Limitations & Feedback
Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.
You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.
Dependency update,
Fixing bugs, making code safe,
Security patch.
Footnotes
-
Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩
There was a problem hiding this comment.
Code Review
This pull request updates the torch dependency from version 2.2.2 to 2.7.1. This is an important update as it addresses two security vulnerabilities: CVE-2025-32434 (Remote Command Execution in torch.load) and CVE-2025-2953 (Denial of Service in torch.mkldnn_max_pool2d).
The change is confined to the requirements.txt file and correctly updates the version string. The Renovate bot's compatibility checks indicate that this new version should be compatible with the existing dependencies, which is reassuring.
Given the security implications of the older torch version, this update is highly recommended. The code in main.py (via Apache Beam's PytorchModelHandlerTensor) and download_model.py involves model loading and saving, so ensuring PyTorch is up-to-date with security patches is crucial.
Overall, this is a beneficial and necessary update.
Summary of Findings
- Security Vulnerability Remediation: The primary purpose of this PR is to update
torchto v2.7.1, which addresses critical security vulnerabilities (CVE-2025-32434 and CVE-2025-2953) present in the previous version (v2.2.2). This is a crucial improvement for the security posture of the application. - Dependency Update: The
torchdependency has been updated from2.2.2to2.7.1indataflow/run-inference/requirements.txt. This change is correctly implemented.
Merge Readiness
This pull request directly addresses known security vulnerabilities by updating the torch library. The change is minimal and appears to be compatible according to automated checks. I recommend merging this PR to enhance the security of the project. As I am an AI assistant, I am not authorized to approve pull requests; please ensure it undergoes any further necessary human review and testing procedures before merging.
8976e2a to
54dff54
Compare
54dff54 to
c3c3982
Compare
c3c3982 to
6fd487d
Compare
6fd487d to
5010020
Compare
5010020 to
c062b4a
Compare
c062b4a to
9e87ef8
Compare
9e87ef8 to
289f877
Compare
40ed7e6 to
115721a
Compare
115721a to
da898aa
Compare
da898aa to
864a61e
Compare
864a61e to
a5c6a93
Compare
a5c6a93 to
6332ab4
Compare
6332ab4 to
b8a21aa
Compare
b8a21aa to
d77c93c
Compare
d77c93c to
ba02696
Compare
ba02696 to
f896db9
Compare
This PR contains the following updates:
==2.4.0->==2.6.0==2.2.2->==2.8.0GitHub Vulnerability Alerts
CVE-2025-32434
Description
I found a Remote Command Execution (RCE) vulnerability in PyTorch. When loading model using torch.load with weights_only=True, it can still achieve RCE.
Background knowledge
https://github.com/pytorch/pytorch/security
As you can see, the PyTorch official documentation considers using
torch.load()withweights_only=Trueto be safe.Since everyone knows that weights_only=False is unsafe, so they will use the weights_only=True to mitigate the seucirty issue.
But now, I just proved that even if you use weights_only=True, it can still achieve RCE.
Credit
This vulnerability was found by Ji'an Zhou.
CVE-2025-2953
A vulnerability, which was classified as problematic, has been found in PyTorch 2.6.0+cu124. Affected by this issue is the function torch.mkldnn_max_pool2d. The manipulation leads to denial of service. An attack has to be approached locally. The exploit has been disclosed to the public and may be used.
CVE-2025-3730
A vulnerability, which was classified as problematic, was found in PyTorch 2.6.0. Affected is the function torch.nn.functional.ctc_loss of the file aten/src/ATen/native/LossCTC.cpp. The manipulation leads to denial of service. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The name of the patch is 46fc5d8e360127361211cb237d5f9eef0223e567. It is recommended to apply a patch to fix this issue.
Release Notes
pytorch/pytorch (torch)
v2.6.0: PyTorch 2.6.0 ReleaseCompare Source
Highlights
We are excited to announce the release of PyTorch® 2.6 (release notes)! This release features multiple improvements for PT2:
torch.compilecan now be used with Python 3.13; new performance-related knobtorch.compiler.set_stance; several AOTInductor enhancements. Besides the PT2 improvements, another highlight is FP16 support on X86 CPUs.NOTE: Starting with this release we are not going to publish on Conda, please see [Announcement] Deprecating PyTorch’s official Anaconda channel for the details.
For this release the experimental Linux binaries shipped with CUDA 12.6.3 (as well as Linux Aarch64, Linux ROCm 6.2.4, and Linux XPU binaries) are built with CXX11_ABI=1 and are using the Manylinux 2.28 build platform. If you build PyTorch extensions with custom C++ or CUDA extensions, please update these builds to use CXX_ABI=1 as well and report any issues you are seeing. For the next PyTorch 2.7 release we plan to switch all Linux builds to Manylinux 2.28 and CXX11_ABI=1, please see [RFC] PyTorch next wheel build platform: manylinux-2.28 for the details and discussion.
Also in this release as an important security improvement measure we have changed the default value for
weights_onlyparameter oftorch.load. This is a backward compatibility-breaking change, please see this forum post for more details.This release is composed of 3892 commits from 520 contributors since PyTorch 2.5. We want to sincerely thank our dedicated community for your contributions. As always, we encourage you to try these out and report any issues as we improve PyTorch. More information about how to get started with the PyTorch 2-series can be found at our Getting Started page.
*To see a full list of public feature submissions click here.
BETA FEATURES
[Beta] torch.compiler.set_stance
This feature enables the user to specify different behaviors (“stances”) that
torch.compilecan take between different invocations of compiled functions. One of the stances, for example, is“eager_on_recompile”, that instructs PyTorch to code eagerly when a recompile is necessary, reusing cached compiled code when possible.
For more information please refer to the set_stance documentation and the Dynamic Compilation Control with torch.compiler.set_stance tutorial.
[Beta] torch.library.triton_op
torch.library.triton_opoffers a standard way of creating custom operators that are backed by user-defined triton kernels.When users turn user-defined triton kernels into custom operators,
torch.library.triton_opallowstorch.compileto peek into the implementation, enablingtorch.compileto optimize the triton kernel inside it.For more information please refer to the triton_op documentation and the Using User-Defined Triton Kernels with torch.compile tutorial.
[Beta] torch.compile support for Python 3.13
torch.compilepreviously only supported Python up to version 3.12. Users can now optimize models withtorch.compilein Python 3.13.[Beta] New packaging APIs for AOTInductor
A new package format, “PT2 archive”, has been introduced. This essentially contains a zipfile of all the files that need to be used by AOTInductor, and allows users to send everything needed to other environments. There is also functionality to package multiple models into one artifact, and to store additional metadata inside of the package.
For more details please see the updated torch.export AOTInductor Tutorial for Python runtime.
[Beta] AOTInductor: minifier
If a user encounters an error while using AOTInductor APIs, AOTInductor Minifier allows creation of a minimal nn.Module that reproduces the error.
For more information please see the AOTInductor Minifier documentation.
[Beta] AOTInductor: ABI-compatible mode code generation
AOTInductor-generated model code has dependency on Pytorch cpp libraries. As Pytorch evolves quickly, it’s important to make sure previously AOTInductor compiled models can continue to run on newer Pytorch versions, i.e. AOTInductor is backward compatible.
In order to guarantee application binary interface (ABI) backward compatibility, we have carefully defined a set of stable C interfaces in libtorch and make sure AOTInductor generates code that only refers to the specific set of APIs and nothing else in libtorch. We will keep the set of C APIs stable across Pytorch versions and thus provide backward compatibility guarantees for AOTInductor-compiled models.
[Beta] FP16 support for X86 CPUs (both eager and Inductor modes)
Float16 datatype is commonly used for reduced memory usage and faster computation in AI inference and training. CPUs like the recently launched Intel® Xeon® 6 with P-Cores support Float16 datatype with native accelerator AMX. Float16 support on X86 CPUs was introduced in PyTorch 2.5 as a prototype feature, and now it has been further improved for both eager mode and Torch.compile + Inductor mode, making it Beta level feature with both functionality and performance verified with a broad scope of workloads.
PROTOTYPE FEATURES
[Prototype] Improved PyTorch user experience on Intel GPUs
PyTorch user experience on Intel GPUs is further improved with simplified installation steps, Windows release binary distribution and expanded coverage of supported GPU models including the latest Intel® Arc™ B-Series discrete graphics. Application developers and researchers seeking to fine-tune, inference and develop with PyTorch models on Intel® Core™ Ultra AI PCs and Intel® Arc™ discrete graphics will now be able to directly install PyTorch with binary releases for Windows, Linux and Windows Subsystem for Linux 2.
For more information regarding Intel GPU support, please refer to Getting Started Guide.
[Prototype] FlexAttention support on X86 CPU for LLMs
FlexAttention was initially introduced in PyTorch 2.5 to provide optimized implementations for Attention variants with a flexible API. In PyTorch 2.6, X86 CPU support for FlexAttention was added through TorchInductor CPP backend. This new feature leverages and extends current CPP template abilities to support broad attention variants (e.x.: PageAttention, which is critical for LLMs inference) based on the existing FlexAttention API, and brings optimized performance on x86 CPUs. With this feature, it’s easy to use FlexAttention API to compose Attention solutions on CPU platforms and achieve good performance.
[Prototype] Dim.AUTO
Dim.AUTOallows usage of automatic dynamic shapes withtorch.export. Users can export withDim.AUTOand “discover” the dynamic behavior of their models, with min/max ranges, relations between dimensions, and static/dynamic behavior being automatically inferred.This is a more user-friendly experience compared to the existing named-Dims approach for specifying dynamic shapes, which requires the user to fully understand the dynamic behavior of their models at export time.
Dim.AUTOallows users to write generic code that isn’t model-dependent, increasing ease-of-use for exporting with dynamic shapes.Please see torch.export tutorial for more information.
[Prototype] CUTLASS and CK GEMM/CONV Backends for AOTInductor
The CUTLASS and CK backend adds kernel choices for GEMM autotuning in Inductor. This is now also available in AOTInductor which can run in C++ runtime environments. A major improvement to the two backends is improved compile-time speed by eliminating redundant kernel binary compilations and dynamic shapes support.
Tracked Regressions
torch.device(0) makes CUDA init fail in subprocess
There is a known regression (#144152) that
torch.device(0)makes CUDA init fail in subprocess since PyTorch 2.5.0.There was an attempt to fix the regressions, but it caused some complications and was reverted.
An easy workaround is to use
torch.device('cuda')ortorch.device('cuda:0')instead.Regression in the compilation of the torch.all operation with out= variant
A regressions (#145220) was reported for PyTorch 2.6.0 with
compilation of the
out=variant of thetorch.alloperator. This should be a rare use case, a workaround can berewriting the model code to avoid the
out=variant.Backwards Incompatible changes
Flip default torch.load to weights_only (#137602, #138225, #138866, #139221, #140304, #138936, #139541, #140738, #142153, #139433)
We are closing the loop on the deprecation that started in 2.4 and flipped
torch.loadto useweights_only=Trueby default.When this flag is set, instead of using the usual pickle module,
torch.loaduses a custom unpickler constrained to call only functions and classes needed for loading state dictionaries and basic types.While this change is disruptive for users serializing more than basic types, we expect the increased security by default is a tradeoff that is worth it. Do note that, even though this default is safer, we still recommend only loading trusted checkpoints and rely on more constrained (and even safer) formats like safetensors for un-trusted checkpoints.
For full details, please refer to this dev-discuss post.
Anaconda deprecation in CD. Remove anaconda dependency in Magma builds (#141024) (#141281) (#140157) (#139888) (#140141) (#139924) (#140158) (#142019) (#142276) (#142277) (#142282)
PyTorch will stop publishing Anaconda packages that depend on Anaconda’s default packages. We are directing users to utilize our official wheel packages from download.pytorch.org or PyPI, or switch to utilizing conda-forge (pytorch) packages if they would like to continue to use conda. For more details refer to this announcement
Added Manylinux 2.28 prototype support and CXX11_ABI=1 for following binaries: Linux CUDA 12.6, Linux aarch64 CPU, Linux aarch64 GPU CUDA 12.6, ROCm 6.2.4, Linux XPU (#139894) (#139631) (#139636) (#140743) (#137696) (#141565) (#140681) (#141609) (#141704) (#141423) (#141609)
The PyTorch binaries shipped with CUDA 12.6.3 are built with CXX11_ABI=1 and are using the Manylinux 2.28 build platform. If you are building PyTorch extensions with custom C++ or CUDA extensions, please update these builds to use CXX_ABI=1 as well and report any issues you are seeing. For the next PyTorch 2.7 release we plan to switch all Linux builds to Manylinux 2.28 and CXX11_ABI=1, please see [RFC] PyTorch next wheel build platform: manylinux-2.28 for the details and discussion.
ONNX
torch.onnx.export(..., dynamo=True)now creates ONNX models using IR version 10 (#141207)ONNX ir_version=10 is used to add support for UINT4, INT4 data types and include metadata in GraphProto and NodeProto. Make sure model consumers are able to accept IR version 10 ONNX models. You may read more about IRv10 on https://github.com/onnx/onnx/releases/tag/v1.16.0.
Several obsolete APIs are removed (#133825, #136279, #137789, #137790)
Some logging APIs,
torch.onnx.ExportTypes,torch.onnx.export_to_pretty_stringare removed. Users should remove usage of the APIs above.torch.onnx.ONNXProgramhas been reimplemented and improved (#136281)All ONNX "dynamo" APIs will return the new
ONNXProgramclass. Some notable methods available aresave(),optimize(). It can also be directly applied on PyTorch tensors to leverage ONNX Runtime to verify the ONNX graph. Some legacy methods are no longer available.Deprecations
Releng
Removed CUDA 12.1 support in CI/CD (#141271) (#142177)
The full release compatibility matrix matrix can be found in release.md
Deprecated
c10d::onCompletionHook(#142390)do something
pg._register_on_completion_hook(hook)
The hook will be triggered after the collective complete
pg.broadcast([tensor]).wait()
ONNXProgramhas a newoptimize()method (#137667)Users can run
optimize()to flatten nested structures in the ONNX graph, perform constant folding and remove redundancies in the ONNX model. Callingoptimize()after exporting to ONNX is recommended.Improvements
Python Frontend
torch.special.i1(#137899)torch.save(#137735)torch.adaptive_pool3don cpu (#136091)torch.masked_select(#141928)torch.{linalg.}normcomplex half support (#133661)NN Frontend
nn.utils.clip_grad_norm_(#139662)weightargument to MSELoss, HuberLoss and L1Loss (#132049)torch.nn.Linearandtorch.nn.Bilinear(#135596)Optim
ReduceLROnPlateauandOptimizer.add_param_groupinteraction by auto-updatingmin_lrs(#137637)SequentialLRto includeChainedScheduler(#133450)Composability
Decompositions, FakeTensor and meta tensors
Operator decompositions, FakeTensors and meta tensors are used to trace out a graph in
torch.compileandtorch.export. They received several improvements:aten.split_with_sizes(#135728)aten.max_unpool2d/aten.max_unpool3d(#133146)aten.dot(#138596)aten.layer_norm(#140557)aten.scaled_dot_product_attention(#135297)aten.matmul(#134568)aten._embedding_bag(#136774)aten.native_group_norm/aten.native_layer_norm(#137079)aten.to(..., non_blocking=True)(#136513)Aten.addmm(#138520)out= dtypechecks for unary ops (#140288)aten.diagonal_copy(#136730)Aten.triangular_solve(#140186)Aten.log_softmax(#140289)aten._segment_reduce_backward(#137442)Aten._add_relu(#140009)Dynamic shapes
We made many improvements and bugfixes to dynamic shapes in
torch.compilenative_layer_norm_backwardwork with unbacked SymInts (#136798)masked_fillwork with unbacked SymIntsl (#137060)torch.catwith large numbers of symbolic variables (#139653)canonicalize_bool_expr(#135621)sympy_generic_le(#135622)_maybe_evaluate_static(#135499)Add._from_argsandMul._from_args(#136143)_SympyTto enable more folding (#138235)new_unbacked_bindingsif needed. (#140083)has_free_unbacked_symbolsinstead ofbool(free_unbacked_symbols)(#140027)TORCHDYNAMO_EXTENDED_ADVICE(#137159) (#137196)get_implications(#139738)Custom operators
We improved the existing
torch.libraryAPIs and added new ones.torch.library.triton_opAPI (#141880)torch.library.register_vmapto work with nested vmap (#137306)torch.library.custom_opAPIs ontorch.deploy(#139509)torch.library.custom_opoverhead (#139513)torch.library.opcheckandregister_autograddocs (#141883)Distributed
cuStreamWriteValue32(#136488)CudaDMAConnectivityDetector(#137530)world_size=0toTCPStore(#137792)nccl_nonblocking_timeout(#138374)device_idprovided (#140963)P2POpandbatch_isend_irecv(#141054)CudaEventCacheby default and add multi device support (#140975)PyProcessGroup(#141529)_reduce_scatter_basetoc10d::ProcessGroupUCC(#138021)DDPOptimizerwork with HOPs (#138787)cudadevice specific. (#137678)state_dict_utils(#134994)_set_unshard_async_op(#135523)fsdp_pre_all_gather(#136129)all-gatherextensions (#137005)shard_placement_fnarg (#137496)set_unshard_in_backward(bool)(#137922)matmulin inference_mode (#142197)PipelineStagesupport meta initialization (#136243)Profiler
Nested Tensor
rms_norm(),embedding_bag(),record_stream(),rad2deg(),embedding()backward, activation functions (#135872, #135888, #140736, #138627, #137099, #140290)torch.bmm(NST, NST)(#141380)Functorch
torch.scatter_reduce(#135547)native_dropout_backward(#140140)torch.func.functional_call(#134643))Quantization
X86InductorQuantizer(#136298)Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Never, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.