CVE-2025-24357 HIGH

CVE-2025-24357: vLLM allows a malicious model RCE by torch.load in hf_model_weights_iterator

Vendor Vllm-Project

Product vllm

Weakness CWE-502 · Unsafe deserialization

Published January 27, 2025

Last update February 12, 2025

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

vLLM is a library for LLM inference and serving. vllm/model_executor/weight_utils.py implements hf_model_weights_iterator to load the model checkpoint, which is downloaded from huggingface. It uses the torch.load function and the weights_only parameter defaults to False. When torch.load loads malicious pickle data, it will execute arbitrary code during unpickling. This vulnerability is fixed in v0.7.0.

Key dates

02Disclosure timeline

January 27, 2025 CVE published

February 12, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-24357 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/502.html

Related vulnerabilities

04Related CVE

CVE-2026-46386 OpenProject: Pre-authentication RCE in openproject/openproject Docker image via default `SECRET_KEY_BASE=OVERWRITE_ME` and `cookies_serializer = :marshal` CVE-2021-24384 JoomSport < 5.1.8 - Unauthenticated PHP Object Injection CVE-2023-26359 Adobe ColdFusion Deserialization of Untrusted Data Arbitrary code execution CVE-2026-8751 h2oai h2o-3 JAR Model.java importBinaryModel deserialization CVE-2022-41137 Apache Hive: Deserialization of untrusted data when fetching partitions from the Metastore