CVE-2024-11041
Published: 20 March 2025
Summary
CVE-2024-11041 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Vllm Vllm. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 9.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as NLP and Transformers; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
vllm-project vllm version v0.6.2 contains a deserialization flaw in the MessageQueue.dequeue() function. The routine passes data received over sockets directly to pickle.loads without validation or authentication checks, enabling arbitrary code execution when untrusted input is processed. The issue is tracked as CWE-502 and carries a CVSS 3.0 score of 9.8.
An unauthenticated remote attacker can connect to an exposed MessageQueue endpoint and transmit a crafted payload that results in immediate code execution on the target host with the privileges of the vllm process. No user interaction or special network position is required.
The single reference points to a huntr.dev bounty report that disclosed the pickle usage; no vendor advisory or patch information is supplied in the available data. The associated EPSS scores remain low and essentially flat.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7068
Vulnerability details
vllm-project vllm version v0.6.2 contains a vulnerability in the MessageQueue.dequeue() API function. The function uses pickle.loads to parse received sockets directly, leading to a remote code execution vulnerability. An attacker can exploit this by sending a malicious payload to the…
more
MessageQueue, causing the victim's machine to execute arbitrary code.
- CWE(s)
AI Security AnalysisAI
- AI Category
- NLP and Transformers
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: vllm
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote code execution by sending malicious pickle payloads over sockets to MessageQueue.dequeue(), facilitating exploitation of remote services.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely patching of the unsafe pickle.loads deserialization flaw in vllm's MessageQueue.dequeue(), eliminating the RCE vulnerability.
Mandates validation of untrusted socket inputs prior to deserialization, blocking malicious pickle payloads from execution.
Restricts socket inputs to only expected safe formats, preventing processing of malicious deserialization payloads targeting MessageQueue.