Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-5vqr-wprc-cpp7

Опубликовано: 20 мар. 2025
Источник: github
Github: Прошло ревью
CVSS3: 9.8

Описание

vLLM Deserialization of Untrusted Data vulnerability

vllm-project vllm version v0.6.2 contains a vulnerability in the MessageQueue.dequeue() API function. The function uses pickle.loads to parse received sockets directly, leading to a remote code execution vulnerability. An attacker can exploit this by sending a malicious payload to the MessageQueue, causing the victim's machine to execute arbitrary code.

Ссылки

Пакеты

Наименование

vllm

pip
Затронутые версииВерсия исправления

<= 0.6.2

Отсутствует

EPSS

Процентиль: 79%
0.01251
Низкий

9.8 Critical

CVSS3

CVE ID

CVE-2024-11041

Дефекты

CWE-502

Связанные уязвимости

redhat логотип

CVE-2024-11041

CVSS3: 2.6
redhat
11 месяцев назад

vllm-project vllm version v0.6.2 contains a vulnerability in the MessageQueue.dequeue() API function. The function uses pickle.loads to parse received sockets directly, leading to a remote code execution vulnerability. An attacker can exploit this by sending a malicious payload to the MessageQueue, causing the victim's machine to execute arbitrary code.

nvd логотип

CVE-2024-11041

CVSS3: 9.8
nvd
11 месяцев назад

vllm-project vllm version v0.6.2 contains a vulnerability in the MessageQueue.dequeue() API function. The function uses pickle.loads to parse received sockets directly, leading to a remote code execution vulnerability. An attacker can exploit this by sending a malicious payload to the MessageQueue, causing the victim's machine to execute arbitrary code.

debian логотип

CVE-2024-11041

CVSS3: 9.8
debian
11 месяцев назад

vllm-project vllm version v0.6.2 contains a vulnerability in the Messa ...

EPSS

Процентиль: 79%
0.01251
Низкий

9.8 Critical

CVSS3

CVE ID

CVE-2024-11041

Дефекты

CWE-502