Conversation
…d sent to draft process
![arnica-github-connector[bot]](https://avatars.githubusercontent.com/in/144692?s=60&v=4){kind=small}
| print(f"[{_ts()}] [PrefillRequest.receive] eagle_acts shape={eagle_acts.shape}, eagle_acts[:3, :3]={list_to_str(eagle_acts[:3, :3].tolist())}", flush=True) | ||
|
|
||
| print(f"[{_ts()}] [PrefillRequest.receive] BANANA LOADING EAGLE ACTS FROM SSD") | ||
| prefill_request_from_ssd = torch.load('/work/avner/git/ssd/tensor_dump_ssd/prefill_request_12_59_28.84.pt', map_location='cpu', weights_only=False) |
There was a problem hiding this comment.
Static Code Analysis Risk: Together python torch load
torch.load() detected (CVE-2025-32434, CVSS 9.8). In PyTorch <= 2.5.1, torch.load() enables arbitrary code execution even with weights_only=True. The weights_only flag does NOT provide the intended protection on affected versions. Use safetensors format for model weights, or ensure PyTorch >= 2.6.0 and validate model provenance before loading.
Severity: High 🚨
Status: Open 🔴
References:
- https://nvd.nist.gov/vuln/detail/CVE-2025-32434
- GHSA-53q9-r3pm-6pq6
- https://cwe.mitre.org/data/definitions/502
Suggested reviewers 🧐: @avnermay
More details:
If you see an issue, please contact Shasheen in the #security-engineering Slack channel.
Take action by replying with an [arnica] command 💬
Actions
Use [arnica] or [a] to interact with the Arnica bot to acknowledge or dismiss code risks.
To acknowledge the finding as a valid code risk: [arnica] ack <acknowledge additional details>
To dismiss the risk with a reason: [arnica] dismiss <fp|accept|capacity> <dismissal reason>
Examples
-
[arnica] ack This is a valid risk and I'm looking into it -
[arnica] dismiss fp Dismissed - Risk Not Accurate: (i.e. False Positive) -
[arnica] dismiss accept Dismiss - Risk Accepted: Allow the risk to exist in the system -
[arnica] dismiss capacity Dismiss - No Capacity: This will need to wait for a future sprint
1 participant
No description provided.