CVE-2024-11041
published 2025-03-20CVE-2024-11041: vllm-project vllm version v0.6.2 contains a vulnerability in the MessageQueue.dequeue() API function. The function uses pickle.loads to parse received sockets…
PriorityP264critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
1.41%
69.3th percentile
vllm-project vllm version v0.6.2 contains a vulnerability in the MessageQueue.dequeue() API function. The function uses pickle.loads to parse received sockets directly, leading to a remote code execution vulnerability. An attacker can exploit this by sending a malicious payload to the MessageQueue, causing the victim's machine to execute arbitrary code.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vllm-project | vllm-project_vllm | unspecified – latest | — |
| vllm | vllm | — | — |
| vllm | vllm | 0 – 0.6.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for use of pickle.loads() on data received from network sockets within the vllm MessageQueue.dequeue() function, which is the vulnerable code path for CVE-2024-11041. ↗
- →Flag any inbound network payloads delivered to the vllm MessageQueue API endpoint; a malicious pickle payload sent to MessageQueue.dequeue() will trigger arbitrary code execution on the receiving host. ↗
- →Audit vllm-project/vllm deployments at version v0.6.2 specifically; this is the confirmed vulnerable version. ↗
- ·No mitigation is currently available from Red Hat that meets their deployment/ease-of-use criteria; affected RHEL AI packages (instructlab-intel-rhel9, instructlab-nvidia-rhel9, and several bootc variants) remain exposed until a fix is released. ↗
- ·The vulnerability is present in the MessageQueue.dequeue() function due to improper use of pickle.loads on untrusted socket data; any vllm deployment exposing this API to untrusted network input is at risk. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
vLLM Deserialization of Untrusted Data vulnerability
ghsa·2025-03-20
CVE-2024-11041 [CRITICAL] CWE-502 vLLM Deserialization of Untrusted Data vulnerability
vLLM Deserialization of Untrusted Data vulnerability
vllm-project vllm version v0.6.2 contains a vulnerability in the MessageQueue.dequeue() API function. The function uses pickle.loads to parse received sockets directly, leading to a remote code execution vulnerability. An attacker can exploit this by sending a malicious payload to the MessageQueue, causing the victim's machine to execute arbitrary code.
OSV
vLLM Deserialization of Untrusted Data vulnerability
osv·2025-03-20
CVE-2024-11041 [CRITICAL] vLLM Deserialization of Untrusted Data vulnerability
vLLM Deserialization of Untrusted Data vulnerability
vllm-project vllm version v0.6.2 contains a vulnerability in the MessageQueue.dequeue() API function. The function uses pickle.loads to parse received sockets directly, leading to a remote code execution vulnerability. An attacker can exploit this by sending a malicious payload to the MessageQueue, causing the victim's machine to execute arbitrary code.
Red Hat
vllm: Remote Code Execution in vllm-project/vllm
vendor_redhat·2025-03-20·CVSS 9.8
CVE-2024-11041 [CRITICAL] CWE-502 vllm: Remote Code Execution in vllm-project/vllm
vllm: Remote Code Execution in vllm-project/vllm
vllm-project vllm version v0.6.2 contains a vulnerability in the MessageQueue.dequeue() API function. The function uses pickle.loads to parse received sockets directly, leading to a remote code execution vulnerability. An attacker can exploit this by sending a malicious payload to the MessageQueue, causing the victim's machine to execute arbitrary code.
A flaw was found in the vLLM MessageQueue. This vulnerability allows remote code execution via the MessageQueue.dequeue() function, which improperly uses pickle.loads to parse received sockets, enabling an attacker to execute arbitrary code by sending a malicious payload.
Mitigation: Mitigation for this issue is either not available or the currently available options don't meet the Red Hat
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-03-20
Published