{"id":"GHSA-m9mp-6x32-5rhg","summary":"scio is vunerable to  Remote Command Execution  through PyTorch","details":"### Impact\nPyTorch reported a [**critical** vulnerability](https://github.com/pytorch/pytorch/security/advisories/GHSA-53q9-r3pm-6pq6) when using `torch.load`, even with option `weights_only=True`, for `torch \u003c= 2.5.1`.\n\nIn `scio \u003c= 1.0.0`, the lower bound for `torch` is `2.3`.\n\n### Patches\nThe lower bound was changed to `torch \u003e= 2.6`, starting from `scio \u003e= 1.0.1` (currently in dev state).\n\n### Workarounds\nYou can manually check that you are using `torch \u003e= 2.6`.","modified":"2025-10-09T14:50:16.086190Z","published":"2025-10-09T14:22:00Z","database_specific":{"cwe_ids":["CWE-502"],"github_reviewed_at":"2025-10-09T14:22:00Z","severity":"CRITICAL","github_reviewed":true,"nvd_published_at":null},"references":[{"type":"WEB","url":"https://github.com/ThalesGroup/scio/security/advisories/GHSA-m9mp-6x32-5rhg"},{"type":"WEB","url":"https://github.com/pytorch/pytorch/security/advisories/GHSA-53q9-r3pm-6pq6"},{"type":"PACKAGE","url":"https://github.com/ThalesGroup/scio"}],"affected":[{"package":{"name":"scio-pypi","ecosystem":"PyPI","purl":"pkg:pypi/scio-pypi"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"last_affected":"1.0.0"}]}],"versions":["1.0.0","1.0.0a1","1.0.0a2","1.0.0rc1","1.0.0rc2"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-m9mp-6x32-5rhg/GHSA-m9mp-6x32-5rhg.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"}]}