[GHSA-887c-mr87-cxwp] PyTorch Improper Resource Shutdown or Release vulnerability

[ferdlestier]

Updates

• Affected products
• CVSS v3

Comments
GHSA-887c-mr87-cxwp, since the fix exists but has not yet been incorporated into a tagged release, the vulnerable version range was set to <= 2.7.0, when this was the latest release, with no patched version specified. The same behavior was observed since the release of v2.7.1, for which the advisory entry should be readjusted to <= 2.7.1, since this latest release does not include the fix yet.

[Copilot]

Pull Request Overview

This PR updates the advisory metadata for GHSA-887c-mr87-cxwp to reflect that PyTorch v2.7.1 is still vulnerable.

• Bumps the modified timestamp by one second
• Removes the CVSS v3 severity entry
• Updates the affected version range to include v2.7.1

Comments suppressed due to low confidence (2)

advisories/github-reviewed/2025/04/GHSA-887c-mr87-cxwp/GHSA-887c-mr87-cxwp.json:15

• The CVSS v3 severity entry was removed entirely—please confirm whether it should be updated rather than deleted, or document why only v4 remains.

    }

advisories/github-reviewed/2025/04/GHSA-887c-mr87-cxwp/GHSA-887c-mr87-cxwp.json:31

• The advisory specifies the last affected version but does not include a 'fixed' event—per schema guidelines, add a fixed-version entry to indicate when the vulnerability is resolved.

              "last_affected": "2.7.1"

[advisory-database]

Hi @ferdlestier! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!