CVE-2024-11041
Published: 20 March 2025
Summary
CVE-2024-11041 is a uncategorised-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Vllm Vllm. Its CVSS base score is N/A.
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 9.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as APIs and Models; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely patching of the unsafe pickle.loads deserialization flaw in vllm's MessageQueue.dequeue(), eliminating the RCE vulnerability.
Mandates validation of untrusted socket inputs prior to deserialization, blocking malicious pickle payloads from execution.
Restricts socket inputs to only expected safe formats, preventing processing of malicious deserialization payloads targeting MessageQueue.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote code execution by sending malicious pickle payloads over sockets to MessageQueue.dequeue(), facilitating exploitation of remote services.
NVD Description
vllm-project vllm version v0.6.2 contains a vulnerability in the MessageQueue.dequeue() API function. The function uses pickle.loads to parse received sockets directly, leading to a remote code execution vulnerability. An attacker can exploit this by sending a malicious payload to the…
more
MessageQueue, causing the victim's machine to execute arbitrary code.
Deeper analysisAI
CVE-2024-11041 affects vllm-project vllm version v0.6.2, specifically the MessageQueue.dequeue() API function. This vulnerability arises from the function's use of pickle.loads to directly parse data received over sockets, enabling deserialization of untrusted input. Classified under CWE-502 (Deserialization of Untrusted Data), it results in a remote code execution (RCE) condition.
An attacker can exploit this vulnerability remotely by sending a malicious pickle payload to the MessageQueue endpoint. If the targeted vllm instance processes the payload via dequeue(), it will execute arbitrary code on the victim's machine, potentially granting full system compromise depending on the host's privileges and environment.
For mitigation details, refer to the advisory on Huntr at https://huntr.com/bounties/00136195-11e0-4ad0-98d5-72db066e867f, which reported the issue.
This vulnerability is notable in the context of AI/ML infrastructure, as vLLM is a high-performance serving engine for large language models, potentially exposing deployments in production LLM inference setups.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- APIs and Models
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- vLLM is a high-throughput serving engine for large language models (LLMs), providing APIs for model inference and serving, making it fit the 'APIs and Models' category. The vulnerability is in its MessageQueue API, confirming AI relevance.