Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2024-9053

Опубликовано: 20 мар. 2025
Источник: redhat
CVSS3: 2.6

Описание

vllm-project vllm version 0.6.0 contains a vulnerability in the AsyncEngineRPCServer() RPC server entrypoints. The core functionality run_server_loop() calls the function _make_handler_coro(), which directly uses cloudpickle.loads() on received messages without any sanitization. This can result in remote code execution by deserializing malicious pickle data.

A flaw was found in the vLLM AsyncEngineRPCServer. This vulnerability allows remote code execution via deserialization of untrusted data.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux AI (RHEL AI)rhelai1/bootc-amd-rhel9Not affected
Red Hat Enterprise Linux AI (RHEL AI)rhelai1/bootc-aws-nvidia-rhel9Not affected
Red Hat Enterprise Linux AI (RHEL AI)rhelai1/bootc-azure-amd-rhel9Not affected
Red Hat Enterprise Linux AI (RHEL AI)rhelai1/bootc-azure-nvidia-rhel9Not affected
Red Hat Enterprise Linux AI (RHEL AI)rhelai1/bootc-gcp-nvidia-rhel9Not affected
Red Hat Enterprise Linux AI (RHEL AI)rhelai1/bootc-ibm-nvidia-rhel9Not affected
Red Hat Enterprise Linux AI (RHEL AI)rhelai1/bootc-intel-rhel9Fix deferred
Red Hat Enterprise Linux AI (RHEL AI)rhelai1/bootc-nvidia-rhel9Not affected
Red Hat Enterprise Linux AI (RHEL AI)rhelai1/instructlab-amd-rhel9Not affected
Red Hat Enterprise Linux AI (RHEL AI)rhelai1/instructlab-intel-rhel9Fix deferred

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Low
Дефект:
CWE-78
https://bugzilla.redhat.com/show_bug.cgi?id=2353703vllm: Remote Code Execution in vllm-project/vllm

2.6 Low

CVSS3

Связанные уязвимости

nvd логотип

CVE-2024-9053

CVSS3: 9.8
nvd
11 месяцев назад

vllm-project vllm version 0.6.0 contains a vulnerability in the AsyncEngineRPCServer() RPC server entrypoints. The core functionality run_server_loop() calls the function _make_handler_coro(), which directly uses cloudpickle.loads() on received messages without any sanitization. This can result in remote code execution by deserializing malicious pickle data.

debian логотип

CVE-2024-9053

CVSS3: 9.8
debian
11 месяцев назад

vllm-project vllm version 0.6.0 contains a vulnerability in the AsyncE ...

github логотип

GHSA-cj47-qj6g-x7r4

CVSS3: 9.8
github
11 месяцев назад

vLLM allows Remote Code Execution by Pickle Deserialization via AsyncEngineRPCServer() RPC server entrypoints

2.6 Low

CVSS3