The following table lists the changes that have been made to the
CVE-2025-50461 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution
of a vulnerability, and for identifying the most recent changes that may
impact the vulnerability’s severity, exploitability, or other characteristics.
Aug. 19, 2025
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Description | A deserialization vulnerability exists in Volcengine’s verl 3.0.0, specifically in the scripts/model_merger.py script when using the “fsdp” backend. The script calls torch.load() with weights_only=False on user-supplied .pt files, allowing attackers to execute arbitrary code if a maliciously crafted model file is loaded. An attacker can exploit this by convincing a victim to download and place a malicious model file in a local directory with a specific filename pattern. This vulnerability may lead to arbitrary code execution with the privileges of the user running the script. | |
| Added | Reference | https://github.com/Anchor0221/CVE-2025-50461 | |
| Added | Reference | https://github.com/pytorch/pytorch/blob/main/SECURITY.md#loading-untrusted-data | |
| Added | Reference | https://github.com/volcengine/verl | |
| Added | Reference | https://github.com/volcengine/verl/blob/main/scripts/model_merger.py#L152 | |
| Added | Reference | https://pytorch.org/docs/stable/generated/torch.load.html |
CVE ID : CVE-2025-10304 Published : Dec. 3, 2025, 3:27 a.m. | 26 minutes ago Description : The Everest Backup –
CVE ID : CVE-2025-12585 Published : Dec. 3, 2025, 3:27 a.m. | 26 minutes ago Description : The MxChat – AI
Unit A5, Endeavour Business Park
Penner Road, Havant
PO9 1QN
Company Registration Number: 5334133
Company VAT Number: 855 7246 95
