CVE-2025-24357
published 2025-01-27CVE-2025-24357: vLLM is a library for LLM inference and serving. vllm/model_executor/weight_utils.py implements hf_model_weights_iterator to load the model checkpoint, which…
PriorityP349high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
0.69%
48.3th percentile
vLLM is a library for LLM inference and serving. vllm/model_executor/weight_utils.py implements hf_model_weights_iterator to load the model checkpoint, which is downloaded from huggingface. It uses the torch.load function and the weights_only parameter defaults to False. When torch.load loads malicious pickle data, it will execute arbitrary code during unpickling. This vulnerability is fixed in v0.7.0.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vllm-project | vllm | < 0.7.0 | 0.7.0 |
| vllm | vllm | < 0.7.0 | 0.7.0 |
| vllm | vllm | >= 0 < d3d6bb13fb62da3234addf6574922a4ec0513d04 | d3d6bb13fb62da3234addf6574922a4ec0513d04 |
| vllm | vllm | >= 0 < 0.7.0 | 0.7.0 |
| vllm | vllm | >= 0 < 0.8.0 | 0.8.0 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
ghsa8.8HIGH
osv8.8HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
CVE-2025-24357 Malicious model remote code execution fix bypass with PyTorch < 2.6.0
ghsa·2025-04-23·CVSS 8.8
CVE-2025-24357 [HIGH] CWE-1395 CVE-2025-24357 Malicious model remote code execution fix bypass with PyTorch < 2.6.0
CVE-2025-24357 Malicious model remote code execution fix bypass with PyTorch < 2.6.0
## Description
https://github.com/vllm-project/vllm/security/advisories/GHSA-rh4j-5rhw-hr54 reported a vulnerability where loading a malicious model could result in code execution on the vllm host. The fix applied to specify `weights_only=True` to calls to `torch.load()` did not solve the problem prior to PyTorch 2.6.0.
PyTorch has issued a new CVE about this problem: https://github.com/advisories/GHSA-53q9-r3pm-6pq6
This means that versions of vLLM using PyTorch before 2.6.0 are vulnerable to this problem.
## Background Knowledge
When users install VLLM according to the official manual
But the version of PyTorch is specified in the requirements. txt file
So by default when the user install VLLM, i
OSV
CVE-2025-24357 Malicious model remote code execution fix bypass with PyTorch < 2.6.0
osv·2025-04-23·CVSS 8.8
CVE-2025-24357 [HIGH] CVE-2025-24357 Malicious model remote code execution fix bypass with PyTorch < 2.6.0
CVE-2025-24357 Malicious model remote code execution fix bypass with PyTorch < 2.6.0
## Description
https://github.com/vllm-project/vllm/security/advisories/GHSA-rh4j-5rhw-hr54 reported a vulnerability where loading a malicious model could result in code execution on the vllm host. The fix applied to specify `weights_only=True` to calls to `torch.load()` did not solve the problem prior to PyTorch 2.6.0.
PyTorch has issued a new CVE about this problem: https://github.com/advisories/GHSA-53q9-r3pm-6pq6
This means that versions of vLLM using PyTorch before 2.6.0 are vulnerable to this problem.
## Background Knowledge
When users install VLLM according to the official manual
But the version of PyTorch is specified in the requirements. txt file
So by default when the user install VLLM, i
OSV
CVE-2025-24357: vLLM is a library for LLM inference and serving
osv·2025-01-27
CVE-2025-24357 CVE-2025-24357: vLLM is a library for LLM inference and serving
vLLM is a library for LLM inference and serving. vllm/model_executor/weight_utils.py implements hf_model_weights_iterator to load the model checkpoint, which is downloaded from huggingface. It uses the torch.load function and the weights_only parameter defaults to False. When torch.load loads malicious pickle data, it will execute arbitrary code during unpickling. This vulnerability is fixed in v0.7.0.
OSV
vllm: Malicious model to RCE by torch.load in hf_model_weights_iterator
osv·2025-01-27
CVE-2025-24357 [HIGH] vllm: Malicious model to RCE by torch.load in hf_model_weights_iterator
vllm: Malicious model to RCE by torch.load in hf_model_weights_iterator
### Description
The vllm/model_executor/weight_utils.py implements hf_model_weights_iterator to load the model checkpoint, which is downloaded from huggingface. It use torch.load function and weights_only parameter is default value False. There is a security warning on https://pytorch.org/docs/stable/generated/torch.load.html, when torch.load load a malicious pickle data it will execute arbitrary code during unpickling.
### Impact
This vulnerability can be exploited to execute arbitrary codes and OS commands in the victim machine who fetch the pretrained repo remotely.
Note that most models now use the safetensors format, which is not vulnerable to this issue.
### References
* https://pytorch.org/docs/stable/genera
GHSA
vllm: Malicious model to RCE by torch.load in hf_model_weights_iterator
ghsa·2025-01-27
CVE-2025-24357 [HIGH] CWE-502 vllm: Malicious model to RCE by torch.load in hf_model_weights_iterator
vllm: Malicious model to RCE by torch.load in hf_model_weights_iterator
### Description
The vllm/model_executor/weight_utils.py implements hf_model_weights_iterator to load the model checkpoint, which is downloaded from huggingface. It use torch.load function and weights_only parameter is default value False. There is a security warning on https://pytorch.org/docs/stable/generated/torch.load.html, when torch.load load a malicious pickle data it will execute arbitrary code during unpickling.
### Impact
This vulnerability can be exploited to execute arbitrary codes and OS commands in the victim machine who fetch the pretrained repo remotely.
Note that most models now use the safetensors format, which is not vulnerable to this issue.
### References
* https://pytorch.org/docs/stable/genera
Red Hat
vllm: vLLM allows a malicious model RCE by torch.load in hf_model_weights_iterator
vendor_redhat·2025-01-27·CVSS 7.5
CVE-2025-24357 [HIGH] CWE-502 vllm: vLLM allows a malicious model RCE by torch.load in hf_model_weights_iterator
vllm: vLLM allows a malicious model RCE by torch.load in hf_model_weights_iterator
vLLM is a library for LLM inference and serving. vllm/model_executor/weight_utils.py implements hf_model_weights_iterator to load the model checkpoint, which is downloaded from huggingface. It uses the torch.load function and the weights_only parameter defaults to False. When torch.load loads malicious pickle data, it will execute arbitrary code during unpickling. This vulnerability is fixed in v0.7.0.
A flaw was found in the vLLM package, a library for LLM inference and serving. The vllm/model_executor/weight_utils.py implements hf_model_weights_iterator to load the model checkpoint downloaded from huggingface. It uses the torch.load function, and the weights_only parameter defaults to False. When torch.l
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-01-27
Published