fix(deps): vuln torch (minor → 2.11.0) [dd_unit_scaling] by gh-worker-campaigns-3e9aa4[bot] · Pull Request #105 · DataDog/toto

gh-worker-campaigns-3e9aa4 · 2026-05-08T03:32:33Z

Summary: Critical-severity security update — 1 package upgraded (MINOR changes included)

Manifests changed:

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
torch	2.4.0	2.11.0	minor	Direct	5 CRITICAL, 2 MODERATE, 1 LOW

🚨 Critical & High Severity (5 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
torch	GHSA-53q9-r3pm-6pq6	CRITICAL	PyTorch: `torch.load` with `weights_only=True` leads to remote code execution	2.4.0	2.6.0
torch	CVE-2025-32434	CRITICAL	PyTorch: `torch.load` with `weights_only=True` leads to remote code execution	2.4.0	-
torch	PYSEC-2025-41	CRITICAL	-	2.4.0	2.6.0
torch	PYSEC-2024-259	critical	-	2.4.0	2.5.0
torch	CVE-2024-48063	critical	-	2.4.0	-

ℹ️ Other Vulnerabilities (3)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
torch	GHSA-887c-mr87-cxwp	MODERATE	PyTorch Improper Resource Shutdown or Release vulnerability	2.4.0	2.8.0
torch	CVE-2025-3730	MODERATE	-	2.4.0	-
torch	GHSA-3749-ghw9-m3mg	LOW	PyTorch susceptible to local Denial of Service	2.4.0	2.7.1-rc1

Standard review:

Update Mode: Vulnerability Remediation (Critical)

🤖 Generated by DataDog Automated Dependency Management System

Executing automated changes

8f965c4

gh-worker-campaigns-3e9aa4 Bot added campaigner-automated-change adms-dependency-update labels May 8, 2026

campaigner-prod Bot marked this pull request as ready for review May 8, 2026 12:12