CVE-2025-24357: vllm: Malicious model to RCE by torch.load in hf_model_weights_iterator
The vllm/model_executor/weight_utils.py implements hf_model_weights_iterator to load the model checkpoint, which is downloaded from huggingface. It use torch.load function and weights_only parameter is default value False. There is a security warning on https://pytorch.org/docs/stable/generated/torch.load.html, when torch.load load a malicious pickle data it will execute arbitrary code during unpickling.
References
- github.com/advisories/GHSA-rh4j-5rhw-hr54
- github.com/vllm-project/vllm
- github.com/vllm-project/vllm/commit/d3d6bb13fb62da3234addf6574922a4ec0513d04
- github.com/vllm-project/vllm/pull/12366
- github.com/vllm-project/vllm/releases/tag/v0.7.0
- github.com/vllm-project/vllm/security/advisories/GHSA-rh4j-5rhw-hr54
- nvd.nist.gov/vuln/detail/CVE-2025-24357
- pytorch.org/docs/stable/generated/torch.load.html
Detect and mitigate CVE-2025-24357 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →