Pytorch 1.7 contains vulnerability that is fixed in upgraded version

[cprocak3]

Hello,

Pytorch 1.7 has a vulnerability that can cause an arbitrary code execution when used. It is fixed in version 1.13.1. When can it be expected for Pytorch to be upgraded to a more recent version?

See the following for the details on the CVE:
https://avd.aquasec.com/nvd/2022/cve-2022-45907/

[jongwook]

Hi, I see the relevant issue is this one, and the vulnerability happens when JIT-compiling a module that contains function calls using the Python type hint syntax. While the released CLIP models are using the JIT-compiled format, I don't think any code paths used in this repo is vulnerable to this CVE. (happy to stand corrected though)

In any case, this package does not enforce a specific pytorch version, but I haven't tested if it's source-compatible with 1.13.1 (I'm guessing it is). We can consider adding a warning message if the pytorch version used is too old, but any security implications will ultimately be the responsibility of the entity using this library to deploy their services which may cause arbitrary code execution. See also the LICENSE.