CVE-2024-11392: Python Torch Load Without Weights Only
`torch.load()` is called without `weights_only=True`. By default (in torch < 2.6), `torch.load` uses Python's `pickle` deserializer, which executes arbitrary code embedded in the input file during deserialization. If the loaded file path is attacker-influenced or comes from an untrusted source, this leads to remote code execution (CVE-2024-11392, CWE-502: De
greprules fetch cve-2024-11392-python-torch-load-without-weights-only --engine opengrepDescription
`torch.load()` is called without `weights_only=True`. By default (in torch < 2.6), `torch.load` uses Python's `pickle` deserializer, which executes arbitrary code embedded in the input file during deserialization. If the loaded file path is attacker-influenced or comes from an untrusted source, this leads to remote code execution (CVE-2024-11392, CWE-502: De
Detection target
Not provided
Recommended fix
Not provided
False-positive notes
Not provided
Community feedback
Sign in to report false positives, mark this rule useful, or suggest metadata improvements.