CVE-2024-11041Deserialization of Untrusted Data in Vllm

CWE-502Deserialization of Untrusted Data4 documents4 sources
Severity
9.8CRITICALNVD
EPSS
1.3%
top 20.65%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Vllm-project VllmVllm
Timeline
PublishedMar 20

Description

vllm-project vllm version v0.6.2 contains a vulnerability in the MessageQueue.dequeue() API function. The function uses pickle.loads to parse received sockets directly, leading to a remote code execution vulnerability. An attacker can exploit this by sending a malicious payload to the MessageQueue, causing the victim's machine to execute arbitrary code.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

CVEListV5vllm-project/vllm-project_vllmunspecifiedlatest
PyPIvllm/vllm0.6.2
NVDvllm/vllm0.6.2

🔴Vulnerability Details

2
GHSA
vLLM Deserialization of Untrusted Data vulnerability2025-03-20
OSV
vLLM Deserialization of Untrusted Data vulnerability2025-03-20

📋Vendor Advisories

1
Red Hat
vllm: Remote Code Execution in vllm-project/vllm2025-03-20