vllm-project vllm version 0.6.0 contains a vulnerability in the AsyncEngineRPCServer() RPC server entrypoints. The core functionality run_server_loop() calls the function _make_handler_coro(), which directly uses cloudpickle.loads() on received messages without any sanitization. This can result in remote code execution by deserializing malicious pickle data.
References
Link | Resource |
---|---|
https://huntr.com/bounties/75a544f3-34a3-4da0-b5a3-1495cb031e09 | Exploit Third Party Advisory |
Configurations
History
29 Apr 2025, 18:14
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:vllm-project:vllm:0.6.0:*:*:*:*:*:*:* | |
References | () https://huntr.com/bounties/75a544f3-34a3-4da0-b5a3-1495cb031e09 - Exploit, Third Party Advisory | |
First Time |
Vllm-project
Vllm-project vllm |
|
Summary |
|
20 Mar 2025, 10:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2025-03-20 10:15
Updated : 2025-04-29 18:14
NVD link : CVE-2024-9053
Mitre link : CVE-2024-9053
CVE.ORG link : CVE-2024-9053
JSON object : View
Products Affected
vllm-project
- vllm
CWE
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')