CVE-2025-24357 – vllm

Package

Manager: pip
Name: vllm
Vulnerable Version: >=0 <0.7.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00163 pctl0.37812

Details

vllm: Malicious model to RCE by torch.load in hf_model_weights_iterator ### Description The vllm/model_executor/weight_utils.py implements hf_model_weights_iterator to load the model checkpoint, which is downloaded from huggingface. It use torch.load function and weights_only parameter is default value False. There is a security warning on https://pytorch.org/docs/stable/generated/torch.load.html, when torch.load load a malicious pickle data it will execute arbitrary code during unpickling. ### Impact This vulnerability can be exploited to execute arbitrary codes and OS commands in the victim machine who fetch the pretrained repo remotely. Note that most models now use the safetensors format, which is not vulnerable to this issue. ### References * https://pytorch.org/docs/stable/generated/torch.load.html * Fix: https://github.com/vllm-project/vllm/pull/12366

Metadata

Created: 2025-01-27T20:50:30Z
Modified: 2025-06-30T12:52:27Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-rh4j-5rhw-hr54/GHSA-rh4j-5rhw-hr54.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-rh4j-5rhw-hr54
Finding: F096
Auto approve: 1