Vulnerability Details
Basic Information
| Title | GHSA-GGPF-24JW-3FCW CVE-2025-24357 Malicious model remote code execution fix bypass with PyTorch < 2.6.0 |
|---|---|
| Type | osv |
| Published | 2025-04-23T02:26:06 |
| Last Seen | 2025-04-23T03:36:11 |
| CVSS Score | 7.5 (HIGH) |
CVSS v3 Details
| Attack Vector | NETWORK |
|---|---|
| Attack Complexity | HIGH |
| Privileges Required | NONE |
| User Interaction | REQUIRED |
| Scope | UNCHANGED |
| Confidentiality Impact | HIGH |
| Integrity Impact | HIGH |
| Availability Impact | HIGH |
CVE Information
| CVE IDs | CVE-2025-24357 |
|---|---|
| CWE | |
| Bulletin Family | software |
Description
https://github.com/vllm-project/vllm/security/advisories/GHSA-rh4j-5rhw-hr54 reported a vulnerability where loading a malicious model could result in code execution on the vllm host. The fix applied to specify `weights_only=True` to calls to `torch.load()` did not solve the problem prior to PyTorch 2.6.0.
PyTorch has issued a new CVE about this problem: https://github.com/advisories/GHSA-53q9-r3pm-6pq6
This means that versions of vLLM using PyTorch before 2.6.0 are vulnerable to this problem.
## Background Knowledge
When users install VLLM according to the official manual
But the version of PyTorch is specified in the requirements. txt file
So by default when the user install VLLM, it will install the PyTorch with version 2.5.1
In CVE-2025-24357, weights_only=True was used for patching, but we know this is not secure.
Because we found that using Weights_only=True in pyTorch before 2.5.1 was unsafe
Here, we use this interface to prove that it is not safe.
## Fix
update PyTorch version to 2.6.0
## Credit
This vulnerability was found By Ji’an Zhou and Li’shuo Song
Impact Assessment
| Base Score | 7.5 |
|---|---|
| Severity | HIGH |