CVE-2025-24357
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-24357
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-24357.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-24357
- Aliases
- Published
- 2025-01-27T17:38:20.070Z
- Modified
- 2025-11-20T12:33:41.651319Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- vLLM allows a malicious model RCE by torch.load in hf_model_weights_iterator
- Details
-
vLLM is a library for LLM inference and serving. vllm/modelexecutor/weightutils.py implements hfmodelweightsiterator to load the model checkpoint, which is downloaded from huggingface. It uses the torch.load function and the weightsonly parameter defaults to False. When torch.load loads malicious pickle data, it will execute arbitrary code during unpickling. This vulnerability is fixed in v0.7.0.
- Database specific
{ "cwe_ids": [ "CWE-502" ] }- References
Affected packages
Git / github.com/vllm-project/vllm
Affected ranges
- Type
- GIT
- Repo
- https://github.com/vllm-project/vllm
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
Other
submission
v0.*
v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.1.4
v0.1.5
v0.1.6
v0.1.7
v0.2.0
v0.2.1
v0.2.2
v0.2.3
v0.2.4
v0.2.5
v0.2.6
v0.2.7
v0.3.0
v0.3.1
v0.3.2
v0.3.3
v0.4.0
v0.4.0.post1
v0.4.1
v0.4.2
v0.4.3
v0.5.0
v0.5.0.post1
v0.5.1
v0.5.2
v0.5.3
v0.5.3.post1
v0.5.4
v0.5.5
v0.6.0
v0.6.1
v0.6.1.post1
v0.6.1.post2
v0.6.2
v0.6.3
v0.6.3.post1
v0.6.4
v0.6.4.post1
v0.6.5
v0.6.6
v0.6.6.post1