Cyber Resilience

CVE-2024-11041

CriticalPublic PoCRCE

Published: 20 March 2025

Published
20 March 2025
Modified
31 July 2025
KEV Added
Patch
CVSS Score v3 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0560 90.5th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-11041 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Vllm Vllm. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 9.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as NLP and Transformers; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

vllm-project vllm version v0.6.2 contains a deserialization flaw in the MessageQueue.dequeue() function. The routine passes data received over sockets directly to pickle.loads without validation or authentication checks, enabling arbitrary code execution when untrusted input is processed. The issue is tracked as CWE-502 and carries a CVSS 3.0 score of 9.8.

An unauthenticated remote attacker can connect to an exposed MessageQueue endpoint and transmit a crafted payload that results in immediate code execution on the target host with the privileges of the vllm process. No user interaction or special network position is required.

The single reference points to a huntr.dev bounty report that disclosed the pickle usage; no vendor advisory or patch information is supplied in the available data. The associated EPSS scores remain low and essentially flat.

EU & UK References

Vulnerability details

vllm-project vllm version v0.6.2 contains a vulnerability in the MessageQueue.dequeue() API function. The function uses pickle.loads to parse received sockets directly, leading to a remote code execution vulnerability. An attacker can exploit this by sending a malicious payload to the…

more

MessageQueue, causing the victim's machine to execute arbitrary code.

CWE(s)

AI Security AnalysisAI

AI Category
NLP and Transformers
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: vllm

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

The vulnerability enables remote code execution by sending malicious pickle payloads over sockets to MessageQueue.dequeue(), facilitating exploitation of remote services.

CVEs Like This One

CVE-2025-29783Same product: Vllm Vllm
CVE-2025-62164Same product: Vllm Vllm
CVE-2025-24357Same product: Vllm Vllm
CVE-2025-66448Same product: Vllm Vllm
CVE-2026-22807Same product: Vllm Vllm
CVE-2026-22773Same product: Vllm Vllm
CVE-2026-25960Same product: Vllm Vllm
CVE-2026-22778Same product: Vllm Vllm
CVE-2026-24779Same product: Vllm Vllm
CVE-2026-27893Same product: Vllm Vllm

Affected Assets

vllm
vllm
0.6.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely patching of the unsafe pickle.loads deserialization flaw in vllm's MessageQueue.dequeue(), eliminating the RCE vulnerability.

prevent

Mandates validation of untrusted socket inputs prior to deserialization, blocking malicious pickle payloads from execution.

prevent

Restricts socket inputs to only expected safe formats, preventing processing of malicious deserialization payloads targeting MessageQueue.

References