CVE-2025-24357
Published: 27 January 2025
Summary
CVE-2025-24357 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Vllm Vllm. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 28.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as NLP and Transformers; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).
Deeper analysis
vLLM is a library for LLM inference and serving that is affected by CVE-2025-24357 in the hf_model_weights_iterator function within vllm/model_executor/weight_utils.py. This component downloads model checkpoints from Hugging Face and loads them using torch.load with the weights_only parameter defaulting to False, which permits execution of arbitrary code when unpickling malicious data. The issue is a deserialization flaw tracked as CWE-502 and was corrected in release v0.7.0.
An attacker can publish or substitute a malicious checkpoint on Hugging Face that a user subsequently loads through vLLM. Because the load occurs over the network with no requirement for local privileges beyond fetching the model, successful exploitation yields arbitrary code execution on the target system and can compromise confidentiality, integrity, and availability.
Project advisories and the referenced commit indicate that upgrading to v0.7.0 resolves the vulnerability by ensuring safe loading behavior for model weights. The associated GitHub security advisory and pull request document the change and link to PyTorch documentation on torch.load for further context on the underlying parameter.
The affected software is used in AI/ML inference pipelines, making the unsafe default particularly relevant to practitioners handling externally sourced models.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-0192
Vulnerability details
vLLM is a library for LLM inference and serving. vllm/model_executor/weight_utils.py implements hf_model_weights_iterator to load the model checkpoint, which is downloaded from huggingface. It uses the torch.load function and the weights_only parameter defaults to False. When torch.load loads malicious pickle data,…
more
it will execute arbitrary code during unpickling. This vulnerability is fixed in v0.7.0.
- CWE(s)
AI Security AnalysisAI
- AI Category
- NLP and Transformers
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: huggingface, llm, vllm
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Deserialization vulnerability via torch.load(pickle) with weights_only=False enables arbitrary code execution from malicious Hugging Face model checkpoints, facilitating exploitation for client execution and supply chain compromise through tainted software dependencies.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, and remediation of the deserialization flaw by patching vLLM to version 0.7.0 or later where torch.load uses weights_only=True by default.
Mandates integrity checks on model checkpoints prior to loading and execution, preventing arbitrary code execution from malicious pickle data downloaded from Hugging Face.
Enforces secure baseline configuration settings for libraries like PyTorch's torch.load, such as enabling weights_only=True, to block unsafe deserialization of untrusted model files.