PyTorch is a popular deep learning library used by researchers and companies all over the world. In 2022, a critical vulnerability was discovered in its JIT compiler’s annotation parsing—specifically the torch.jit.annotations.parse_type_line function. Identified as CVE-2022-45907, it allowed attackers to execute arbitrary Python code due to unsafe use of Python’s eval() function. In this post, we’ll break down what went wrong, how the exploit works, and what you should do to stay safe.
What is torch.jit.annotations.parse_type_line?
PyTorch has a component called the JIT (Just-In-Time) compiler, which speeds up models and allows for packaging and exporting them for production use. The function torch.jit.annotations.parse_type_line() is part of the code that interprets inline type annotations attached to functions in TorchScript (PyTorch’s subset of Python that the JIT compiler can handle).
Parsing these types correctly is crucial for TorchScript to work as expected. But before a crucial fix, this function used Python’s notorious eval() in a way that attackers could abuse.
The Vulnerability: Why is eval() Dangerous Here?
Python’s eval() function takes a string and evaluates it as Python code. If the string comes from a trusted source, that's mostly okay. But if an attacker can control the content of that string, they can make Python do literally anything—from reading files to executing system commands.
Here’s a simplified, vulnerable snippet from the old PyTorch source code
def parse_type_line(type_line: str):
# Dangerous: 'type_line' may hold user input
type_obj = eval(type_line, context)
return type_obj
Notice that type_line could potentially contain anything. If an attacker passes '__import__("os").system("rm -rf /")', and this string reaches eval(), well... you can guess what happens.
Here’s how an attacker might exploit this vulnerability
import torch
# This input gets evaluated unsafely!
malicious_type = '__import__("os").system("echo hacked > /tmp/pytorch_exploit")'
# torch.jit.annotations.parse_type_line used to do this:
torch.jit.annotations.parse_type_line(malicious_type)
When run, this would create a file /tmp/pytorch_exploit containing the word hacked. Replace the string in system with any shell command, and you can see how impactful this bug is.
How the Exploit Works
1. User Input Reaches parse_type_line: Any TorchScript code or user input that controls typing annotations may trigger this path.
Raw eval() Usage: Without proper sanitization, eval() interprets the string as actual Python.
3. Code Execution: Attacker’s command or code executes with the privileges of the Python process running PyTorch.
Mitigation and Fix
The PyTorch team fixed this in pull request #89695. They replaced the direct usage of eval() with a much safer parsing method using the ast.literal_eval or a safer parser for types.
If you use a version of PyTorch released before this pull request, you are vulnerable. You can check your JIT annotation parser, or simply update PyTorch to the latest version.
Am I Affected?
- Vulnerable: PyTorch versions before the merge of PR #89695, especially if your code lets untrusted users provide TorchScript functions or type annotations.
Not Vulnerable: Latest PyTorch releases after this fix.
How to check your version:
import torch
print(torch.__version__)
Compare with the date of the PR or upgrade to latest stable.
Final Thoughts
CVE-2022-45907 is a powerful reminder that using eval() on user input is *always* risky, even in the world of machine learning code where many developers assume data is “trusted.” If you run PyTorch in multi-user environments or process code and types from uploaded models, compilations, or notebooks, always upgrade to the patched version.
Reference Links
- NVD: CVE-2022-45907
- PyTorch Fix PR #89695
- PyTorch JIT Documentation
Remember: Patch early, patch often, and never trust unchecked input in your codebase—even if it comes in the form of type annotations!
Timeline
Published on: 11/26/2022 02:15:00 UTC
Last modified on: 08/08/2023 14:21:00 UTC