{"vulnerability": "CVE-2025-24357", "sightings": [{"uuid": "156510e9-c2cb-4e0b-8c4d-81b54abac67a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-24357", "type": "seen", "source": "https://infosec.exchange/users/cve/statuses/113901548168353266", "content": "", "creation_timestamp": "2025-01-27T17:41:37.848867Z"}, {"uuid": "2c02c6aa-88a9-40d7-93c0-bc3fb9acddd9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-24357", "type": "seen", "source": "https://bsky.app/profile/cve-notifications.bsky.social/post/3lgqkddrhmm2w", "content": "", "creation_timestamp": "2025-01-27T18:16:18.875541Z"}, {"uuid": "90f0b654-4685-43b5-82e1-63e4c9b3e63a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-24357", "type": "seen", "source": "https://t.me/cvedetector/16490", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2025-24357 - VLLM Deserialization Code Execution Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2025-24357 \nPublished : Jan. 27, 2025, 6:15 p.m. | 22\u00a0minutes ago \nDescription : vLLM is a library for LLM inference and serving. vllm/model_executor/weight_utils.py implements hf_model_weights_iterator to load the model checkpoint, which is downloaded from huggingface. It uses the torch.load function and the weights_only parameter defaults to False. When torch.load loads malicious pickle data, it will execute arbitrary code during unpickling. This vulnerability is fixed in v0.7.0. \nSeverity: 7.5 | HIGH \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"27 Jan 2025\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2025-01-27T20:11:23.000000Z"}, {"uuid": "6d558a10-3312-45c2-8a63-d078f7c28e2b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-24357", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/3179", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: GHSA-rh4j-5rhw-hr54\n\ud83d\udd25 CVSS Score: 7.5 (CVSS_V3)\n\ud83d\udd39 Description: ### Description\nThe vllm/model_executor/weight_utils.py implements hf_model_weights_iterator to load the model checkpoint, which is downloaded from huggingface. It use torch.load function and weights_only parameter is default value False. There is a security warning on https://pytorch.org/docs/stable/generated/torch.load.html, when torch.load load a malicious pickle data it will execute arbitrary code during unpickling.\n\n### Impact\nThis vulnerability can be exploited to execute arbitrary codes and OS commands in the victim machine who fetch the pretrained repo remotely.\n\nNote that most models now use the safetensors format, which is not vulnerable to this issue.\n\n### References\n* https://pytorch.org/docs/stable/generated/torch.load.html\n* Fix: https://github.com/vllm-project/vllm/pull/12366\n\ud83d\udccf Published: 2025-01-27T20:50:30Z\n\ud83d\udccf Modified: 2025-01-27T20:50:30Z\n\ud83d\udd17 References:\n1. https://github.com/vllm-project/vllm/security/advisories/GHSA-rh4j-5rhw-hr54\n2. https://nvd.nist.gov/vuln/detail/CVE-2025-24357\n3. https://github.com/vllm-project/vllm/pull/12366\n4. https://github.com/vllm-project/vllm/commit/d3d6bb13fb62da3234addf6574922a4ec0513d04\n5. https://github.com/vllm-project/vllm\n6. https://github.com/vllm-project/vllm/releases/tag/v0.7.0\n7. https://pytorch.org/docs/stable/generated/torch.load.html", "creation_timestamp": "2025-01-27T21:08:26.000000Z"}]}