CVE-2025-3163 — Injection in Lmdeploy

CWE-74 — Injection CWE-94 — Code Injection3 documents3 sources

Severity

4.8MEDIUMNVD

EPSS

0.1%

top 70.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Internlm Lmdeploy

Timeline

PublishedApr 3

Description

A vulnerability was found in InternLM LMDeploy up to 0.7.1. It has been declared as critical. Affected by this vulnerability is the function Open of the file lmdeploy/docs/en/conf.py. The manipulation leads to code injection. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used.

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Affected Packages3 packages

▶NVDinternlm/lmdeploy0.7.1

▶PyPIinternlm/lmdeploy0.7.1

▶CVEListV5internlm/lmdeploy0.7.0, 0.7.1+1

🔴Vulnerability Details

OSV

InternLM LMDeploy code injection vulnerability↗2025-04-03

▶

GHSA

InternLM LMDeploy code injection vulnerability↗2025-04-03

▶