GHSA-ggpf-24jw-3fcw

Source

https://github.com/advisories/GHSA-ggpf-24jw-3fcw

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-ggpf-24jw-3fcw/GHSA-ggpf-24jw-3fcw.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-ggpf-24jw-3fcw

Published

2025-04-23T02:26:06Z

Modified

2025-04-23T02:49:00.326175Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

CVE-2025-24357 Malicious model remote code execution fix bypass with PyTorch < 2.6.0

Details

Description

https://github.com/vllm-project/vllm/security/advisories/GHSA-rh4j-5rhw-hr54 reported a vulnerability where loading a malicious model could result in code execution on the vllm host. The fix applied to specify weights_only=True to calls to torch.load() did not solve the problem prior to PyTorch 2.6.0.

PyTorch has issued a new CVE about this problem: https://github.com/advisories/GHSA-53q9-r3pm-6pq6

This means that versions of vLLM using PyTorch before 2.6.0 are vulnerable to this problem.

Background Knowledge

When users install VLLM according to the official manual

But the version of PyTorch is specified in the requirements. txt file

So by default when the user install VLLM, it will install the PyTorch with version 2.5.1

In CVE-2025-24357, weightsonly=True was used for patching, but we know this is not secure. Because we found that using Weightsonly=True in pyTorch before 2.5.1 was unsafe

Here, we use this interface to prove that it is not safe.

Fix

update PyTorch version to 2.6.0

Credit

This vulnerability was found By Ji'an Zhou and Li'shuo Song

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-1395"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-23T02:26:06Z"
}

References

Affected packages

PyPI / vllm

Package

Name: vllm; View open source insights on deps.dev
Purl: pkg:pypi/vllm

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.8.0

Affected versions

0.*

0.0.1

0.1.0

0.1.1

0.1.2

0.1.3

0.1.4

0.1.5

0.1.6

0.1.7

0.2.0

0.2.1

0.2.1.post1

0.2.2

0.2.3

0.2.4

0.2.5

0.2.6

0.2.7

0.3.0

0.3.1

0.3.2

0.3.3

0.4.0

0.4.0.post1

0.4.1

0.4.2

0.4.3

0.5.0

0.5.0.post1

0.5.1

0.5.2

0.5.3

0.5.3.post1

0.5.4

0.5.5

0.6.0

0.6.1

0.6.1.post1

0.6.1.post2

0.6.2

0.6.3

0.6.3.post1

0.6.4

0.6.4.post1

0.6.5

0.6.6

0.6.6.post1

0.7.0

0.7.1

0.7.2

0.7.3