Описание
LMDeploy is a toolkit for compressing, deploying, and serving LLMs. Prior to version 0.11.1, an insecure deserialization vulnerability exists in lmdeploy where torch.load() is called without the weights_only=True parameter when loading model checkpoint files. This allows an attacker to execute arbitrary code on the victim's machine when they load a malicious .bin or .pt model file. This issue has been patched in version 0.11.1.
Уязвимые конфигурации
Конфигурация 1Версия до 0.11.1 (исключая)
cpe:2.3:a:internlm:lmdeploy:*:*:*:*:*:*:*:*
EPSS
Процентиль: 38%
0.00171
Низкий
8.8 High
CVSS3
Дефекты
CWE-502
Связанные уязвимости
CVSS3: 8.8
github
около 1 месяца назад
lmdeploy vulnerable to Arbitrary Code Execution via Insecure Deserialization in torch.load()
EPSS
Процентиль: 38%
0.00171
Низкий
8.8 High
CVSS3
Дефекты
CWE-502