CVE-2024-9053
Published: 20 March 2025
Summary
CVE-2024-9053 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Vllm-Project Vllm. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as NLP and Transformers; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
vllm-project vllm version 0.6.0 is affected by a deserialization vulnerability in the AsyncEngineRPCServer RPC server entrypoints. The run_server_loop function invokes _make_handler_coro, which passes received messages directly to cloudpickle.loads without any validation or sanitization, enabling arbitrary code execution through malicious pickle payloads. The issue is tracked as CVE-2024-9053 with a CVSS score of 9.8 and is associated with CWE-502 and CWE-78.
An unauthenticated remote attacker can connect to the exposed RPC interface and supply crafted serialized objects. Successful exploitation grants full control over the server process, including the ability to execute arbitrary commands, read or modify data, and disrupt service availability.
The sole reference points to a huntr.com bounty report that details the finding, though no specific patch or mitigation guidance is provided in the available information. The project is an LLM inference engine, placing the flaw in an AI/ML serving context where RPC interfaces may be reachable in distributed deployments. The associated EPSS score has reached a peak of 0.1046 with a current value of 0.1002.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6874
Vulnerability details
vllm-project vllm version 0.6.0 contains a vulnerability in the AsyncEngineRPCServer() RPC server entrypoints. The core functionality run_server_loop() calls the function _make_handler_coro(), which directly uses cloudpickle.loads() on received messages without any sanitization. This can result in remote code execution by deserializing…
more
malicious pickle data.
- CWE(s)
AI Security AnalysisAI
- AI Category
- NLP and Transformers
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: vllm
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The unsafe deserialization vulnerability in the vLLM AsyncEngineRPCServer enables remote code execution via malicious pickle data sent to the RPC server entrypoints, directly mapping to exploitation of a public-facing application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Remediating the flaw in vllm's AsyncEngineRPCServer that performs unsafe cloudpickle.loads directly prevents remote code execution from malicious deserialization.
Validating RPC server inputs before deserialization rejects malicious pickle data, blocking the untrusted data processing that leads to RCE.
Boundary protection restricts network access to the exposed RPC endpoints, preventing unauthenticated remote attackers from delivering malicious pickle payloads.