vllm-project vllm version 0.6.0 contains a vulnerability in the AsyncEngineRPCServer() RPC server entrypoints. The core functionality run_server_loop() calls the function _make_handler_coro(), which directly uses cloudpickle.loads() on received messages without any sanitization. This can result in remote code execution by deserializing malicious pickle data.
References
Configurations
No configuration.
History
20 Mar 2025, 10:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2025-03-20 10:15
Updated : 2025-03-20 10:15
NVD link : CVE-2024-9053
Mitre link : CVE-2024-9053
CVE.ORG link : CVE-2024-9053
JSON object : View
Products Affected
No product.
CWE
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')