CVE-2025-24357

CVE-2025-24357 is a deserialization vulnerability (CWE-502) in the vLLM library, which provides efficient inference and serving for large language models. The issue lies in the hf_model_weights_iterator function within vllm/model_executor/weight_utils.py. This function downloads model checkpoints from Hugging Face and loads them using PyTorch's torch.load with the weights_only parameter defaulting to False, enabling arbitrary code execution during unpickling of malicious pickle data.

Attackers can exploit this vulnerability by publishing a malicious model checkpoint to Hugging Face. Any user running affected versions of vLLM who loads the checkpoint will trigger remote code execution on their system, as the CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates network accessibility, no privileges required, user interaction via model loading, high attack complexity, and high impacts on confidentiality, integrity, and availability.

The vulnerability was fixed in vLLM version 0.7.0. Mitigation involves upgrading to v0.7.0 or later. Relevant resources include the GitHub security advisory at GHSA-rh4j-5rhw-hr54, the fixing pull request #12366, and commit d3d6bb13fb62da3234addf6574922a4ec0513d04; PyTorch documentation for torch.load also notes risks associated with weights_only=False.

This vulnerability highlights risks in AI/ML pipelines, as vLLM is widely used for LLM serving, emphasizing the need to validate model sources and enforce secure deserialization practices.