Cyber Resilience

CVE-2024-9053

CriticalPublic PoCRCE

Published: 20 March 2025

Published
20 March 2025
Modified
15 October 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1002 93.2th percentile
Risk Priority 26 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-9053 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Vllm-Project Vllm. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as NLP and Transformers; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

vllm-project vllm version 0.6.0 is affected by a deserialization vulnerability in the AsyncEngineRPCServer RPC server entrypoints. The run_server_loop function invokes _make_handler_coro, which passes received messages directly to cloudpickle.loads without any validation or sanitization, enabling arbitrary code execution through malicious pickle payloads. The issue is tracked as CVE-2024-9053 with a CVSS score of 9.8 and is associated with CWE-502 and CWE-78.

An unauthenticated remote attacker can connect to the exposed RPC interface and supply crafted serialized objects. Successful exploitation grants full control over the server process, including the ability to execute arbitrary commands, read or modify data, and disrupt service availability.

The sole reference points to a huntr.com bounty report that details the finding, though no specific patch or mitigation guidance is provided in the available information. The project is an LLM inference engine, placing the flaw in an AI/ML serving context where RPC interfaces may be reachable in distributed deployments. The associated EPSS score has reached a peak of 0.1046 with a current value of 0.1002.

EU & UK References

Vulnerability details

vllm-project vllm version 0.6.0 contains a vulnerability in the AsyncEngineRPCServer() RPC server entrypoints. The core functionality run_server_loop() calls the function _make_handler_coro(), which directly uses cloudpickle.loads() on received messages without any sanitization. This can result in remote code execution by deserializing…

more

malicious pickle data.

CWE(s)

AI Security AnalysisAI

AI Category
NLP and Transformers
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: vllm

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The unsafe deserialization vulnerability in the vLLM AsyncEngineRPCServer enables remote code execution via malicious pickle data sent to the RPC server entrypoints, directly mapping to exploitation of a public-facing application.

CVEs Like This One

CVE-2025-60237Shared CWE-502
CVE-2025-54719Shared CWE-502
CVE-2026-42062Shared CWE-78
CVE-2025-41709Shared CWE-78
CVE-2026-40473Shared CWE-502
CVE-2025-59287Shared CWE-502
CVE-2026-39467Shared CWE-502
CVE-2025-69294Shared CWE-502
CVE-2025-69099Shared CWE-502
CVE-2025-51742Shared CWE-502

Affected Assets

vllm-project
vllm
0.6.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediating the flaw in vllm's AsyncEngineRPCServer that performs unsafe cloudpickle.loads directly prevents remote code execution from malicious deserialization.

prevent

Validating RPC server inputs before deserialization rejects malicious pickle data, blocking the untrusted data processing that leads to RCE.

prevent

Boundary protection restricts network access to the exposed RPC endpoints, preventing unauthenticated remote attackers from delivering malicious pickle payloads.

References