Cyber Resilience

CVE-2025-24357

HighRCE

Published: 27 January 2025

Published
27 January 2025
Modified
27 June 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0066 71.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24357 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Vllm Vllm. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 28.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as NLP and Transformers; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).

Deeper analysis

vLLM is a library for LLM inference and serving that is affected by CVE-2025-24357 in the hf_model_weights_iterator function within vllm/model_executor/weight_utils.py. This component downloads model checkpoints from Hugging Face and loads them using torch.load with the weights_only parameter defaulting to False, which permits execution of arbitrary code when unpickling malicious data. The issue is a deserialization flaw tracked as CWE-502 and was corrected in release v0.7.0.

An attacker can publish or substitute a malicious checkpoint on Hugging Face that a user subsequently loads through vLLM. Because the load occurs over the network with no requirement for local privileges beyond fetching the model, successful exploitation yields arbitrary code execution on the target system and can compromise confidentiality, integrity, and availability.

Project advisories and the referenced commit indicate that upgrading to v0.7.0 resolves the vulnerability by ensuring safe loading behavior for model weights. The associated GitHub security advisory and pull request document the change and link to PyTorch documentation on torch.load for further context on the underlying parameter.

The affected software is used in AI/ML inference pipelines, making the unsafe default particularly relevant to practitioners handling externally sourced models.

EU & UK References

Vulnerability details

vLLM is a library for LLM inference and serving. vllm/model_executor/weight_utils.py implements hf_model_weights_iterator to load the model checkpoint, which is downloaded from huggingface. It uses the torch.load function and the weights_only parameter defaults to False. When torch.load loads malicious pickle data,…

more

it will execute arbitrary code during unpickling. This vulnerability is fixed in v0.7.0.

CWE(s)

AI Security AnalysisAI

AI Category
NLP and Transformers
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: huggingface, llm, vllm

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1195.002 Compromise Software Supply Chain Initial Access
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise.
Why these techniques?

Deserialization vulnerability via torch.load(pickle) with weights_only=False enables arbitrary code execution from malicious Hugging Face model checkpoints, facilitating exploitation for client execution and supply chain compromise through tainted software dependencies.

CVEs Like This One

CVE-2024-11041Same product: Vllm Vllm
CVE-2025-29783Same product: Vllm Vllm
CVE-2026-27893Same product: Vllm Vllm
CVE-2025-66448Same product: Vllm Vllm
CVE-2025-62164Same product: Vllm Vllm
CVE-2026-22807Same product: Vllm Vllm
CVE-2026-22773Same product: Vllm Vllm
CVE-2026-25960Same product: Vllm Vllm
CVE-2026-22778Same product: Vllm Vllm
CVE-2026-24779Same product: Vllm Vllm

Affected Assets

vllm
vllm
≤ 0.7.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and remediation of the deserialization flaw by patching vLLM to version 0.7.0 or later where torch.load uses weights_only=True by default.

prevent

Mandates integrity checks on model checkpoints prior to loading and execution, preventing arbitrary code execution from malicious pickle data downloaded from Hugging Face.

prevent

Enforces secure baseline configuration settings for libraries like PyTorch's torch.load, such as enabling weights_only=True, to block unsafe deserialization of untrusted model files.

References