Critical CVE in torch <= 2.5.1 #1693
Description
Prerequisites
- Put an X between the brackets on this line if you have done all of the following:
- Checked the Answered Questions on the Github Discussion board: https://github.com/ourownstory/neural_prophet/discussions
If you have the same question but the Answer does not solve your issue, please continue the conversation there. - Checked that your issue isn't already filed: https://github.com/ourownstory/neural_prophet/issues
If you have the same issue but there is a twist to your situation, please add an explanation there. - Considered whether your issue might need further discussing before being defined as a feature request:
Please post an idea or feedback
- Checked the Answered Questions on the Github Discussion board: https://github.com/ourownstory/neural_prophet/discussions
Is your feature request related to a problem? Please describe.
NP is pinned to pytorch < 2.4, however there has been a critical CVE reported in pytorch <=2.5.1 that is now preventing any production use of NP in controlled environments. See: CVE-2025-32434
Describe the solution you'd like
Upgrade NP code to be compatible with torch 2.6 to prevent the CVE and retain distributed processing capability.
Describe alternatives you've considered
Forcing the upgrade to torch 2.6 to fix the CVE breaks the multiprocessing capability of NP so it is restricted to 1 CPU core. It is then too slow for production use.
Additional context
Any PCI or SOC2 controlled environment requires patching critical CVEs, meaning until this is fixed we cannot use NP in production environments.