Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-cj47-qj6g-x7r4

Опубликовано: 20 мар. 2025
Источник: github
Github: Прошло ревью
CVSS3: 9.8

Описание

vLLM allows Remote Code Execution by Pickle Deserialization via AsyncEngineRPCServer() RPC server entrypoints

vllm-project vllm version 0.6.0 contains a vulnerability in the AsyncEngineRPCServer() RPC server entrypoints. The core functionality run_server_loop() calls the function _make_handler_coro(), which directly uses cloudpickle.loads() on received messages without any sanitization. This can result in remote code execution by deserializing malicious pickle data.

Ссылки

Пакеты

Наименование

vllm

pip
Затронутые версииВерсия исправления

<= 0.6.0

Отсутствует

EPSS

Процентиль: 83%
0.02063
Низкий

9.8 Critical

CVSS3

CVE ID

CVE-2024-9053

Дефекты

CWE-502
CWE-78

Связанные уязвимости

redhat логотип

CVE-2024-9053

CVSS3: 2.6
redhat
10 месяцев назад

vllm-project vllm version 0.6.0 contains a vulnerability in the AsyncEngineRPCServer() RPC server entrypoints. The core functionality run_server_loop() calls the function _make_handler_coro(), which directly uses cloudpickle.loads() on received messages without any sanitization. This can result in remote code execution by deserializing malicious pickle data.

nvd логотип

CVE-2024-9053

CVSS3: 9.8
nvd
10 месяцев назад

vllm-project vllm version 0.6.0 contains a vulnerability in the AsyncEngineRPCServer() RPC server entrypoints. The core functionality run_server_loop() calls the function _make_handler_coro(), which directly uses cloudpickle.loads() on received messages without any sanitization. This can result in remote code execution by deserializing malicious pickle data.

debian логотип

CVE-2024-9053

CVSS3: 9.8
debian
10 месяцев назад

vllm-project vllm version 0.6.0 contains a vulnerability in the AsyncE ...

EPSS

Процентиль: 83%
0.02063
Низкий

9.8 Critical

CVSS3

CVE ID

CVE-2024-9053

Дефекты

CWE-502
CWE-78