CVE-2025-67729

High

Published: 26 December 2025

Published

26 December 2025

Modified

31 December 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0011 29.0th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

LMDeploy is a toolkit for compressing, deploying, and serving LLMs. Prior to version 0.11.1, an insecure deserialization vulnerability exists in lmdeploy where torch.load() is called without the weights_only=True parameter when loading model checkpoint files. This allows an attacker to execute…

arbitrary code on the victim's machine when they load a malicious .bin or .pt model file. This issue has been patched in version 0.11.1.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Flaw remediation directly mitigates CVE-2025-67729 by applying the patch in LMDeploy 0.11.1 that enforces weights_only=True in torch.load() to prevent insecure deserialization.

SI-10 Information Input Validation good match

prevent

Information input validation ensures model checkpoint files (.bin or .pt) are checked for valid tensor content without malicious code prior to deserialization processing.

SI-3 Malicious Code Protection good match

preventdetect

Malicious code protection scans and eradicates arbitrary code payloads embedded in malicious model files before or during loading into LMDeploy.

Security SummaryAI

CVE-2025-67729 is an insecure deserialization vulnerability (CWE-502) in LMDeploy, an open-source toolkit for compressing, deploying, and serving large language models (LLMs). Affecting versions prior to 0.11.1, the flaw occurs when the torch.load() function is invoked without the weights_only=True parameter during the loading of model checkpoint files in .bin or .pt formats. This enables remote code execution upon processing malicious files, earning a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

The vulnerability can be exploited by any remote attacker who tricks a user into loading a specially crafted .bin or .pt model file into an affected LMDeploy instance. Exploitation requires user interaction, such as manually loading a model from an untrusted source, but needs no privileges. Successful attacks grant attackers arbitrary code execution on the victim's machine with the privileges of the LMDeploy process, potentially leading to full system compromise, data theft, or further lateral movement.

The issue has been addressed in LMDeploy version 0.11.1, where the patch enforces the weights_only=True parameter in torch.load() calls. Official advisories, including GHSA-9pf3-7rrr-x5jh on the project's GitHub security page and the fixing commit eb04b4281c5784a5cff5ea639c8f96b33b3ae5ee, recommend immediate upgrades and caution against loading models from untrusted sources.

Details

CWE(s): CWE-502

Affected Products

internlm

lmdeploy

≤ 0.11.1

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Insecure deserialization in torch.load() enables arbitrary RCE when processing malicious .bin/.pt model files, directly facilitating Exploitation for Client Execution (T1203) via a software vulnerability requiring user interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/InternLM/lmdeploy/commit/eb04b4281c5784a5cff5ea639c8f96b33b3ae5ee
Patch · security-advisories@github.com
https://github.com/InternLM/lmdeploy/security/advisories/GHSA-9pf3-7rrr-x5jh
Vendor Advisory · security-advisories@github.com
https://github.com/InternLM/lmdeploy/security/advisories/GHSA-9pf3-7rrr-x5jh
Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0