CompressAI icon indicating copy to clipboard operation
CompressAI copied to clipboard
verified publisher icon InterDigitalInc

Potential Security Risk in torch==1.8.1 Detected through Static Analysis

Open Cynthia-0101 opened this issue 1 year ago • 0 comments

summary

A reachable construct was detected in torch==1.8.1 through my static analysis database. The analysis uncovered more than 5 call chains leading to this construct. Below is one example to illustrate the potential vulnerability:

Call Chain Analysis

compressai.sadl_codec.dataset2latent └── import torch └── import torch.jit └── import torch.jit._script └── import torch.jit.frontend └── import torch.jit.annotations

Patch and Code Changes

We suspect that this construct may be vulnerable because it was modified in a security-related patch. This suggests that the original code might have contained a flaw, and it may still be risky to use the affected version (torch==1.8.1) without further investigation.

Note:

This issue was identified through a static analysis of the project at commit [743680befc146a6d8ee7840285584f2ce00c3732].

Cynthia-0101 avatar Oct 24 '24 09:10 Cynthia-0101