CVE-2025-67729
Published: 26 December 2025
Summary
CVE-2025-67729 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Internlm Lmdeploy. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 29.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly mitigates CVE-2025-67729 by applying the patch in LMDeploy 0.11.1 that enforces weights_only=True in torch.load() to prevent insecure deserialization.
Information input validation ensures model checkpoint files (.bin or .pt) are checked for valid tensor content without malicious code prior to deserialization processing.
Malicious code protection scans and eradicates arbitrary code payloads embedded in malicious model files before or during loading into LMDeploy.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Insecure deserialization in torch.load() enables arbitrary RCE when processing malicious .bin/.pt model files, directly facilitating Exploitation for Client Execution (T1203) via a software vulnerability requiring user interaction.
NVD Description
LMDeploy is a toolkit for compressing, deploying, and serving LLMs. Prior to version 0.11.1, an insecure deserialization vulnerability exists in lmdeploy where torch.load() is called without the weights_only=True parameter when loading model checkpoint files. This allows an attacker to execute…
more
arbitrary code on the victim's machine when they load a malicious .bin or .pt model file. This issue has been patched in version 0.11.1.
Deeper analysisAI
CVE-2025-67729 is an insecure deserialization vulnerability (CWE-502) in LMDeploy, an open-source toolkit for compressing, deploying, and serving large language models (LLMs). Affecting versions prior to 0.11.1, the flaw occurs when the torch.load() function is invoked without the weights_only=True parameter during the loading of model checkpoint files in .bin or .pt formats. This enables remote code execution upon processing malicious files, earning a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
The vulnerability can be exploited by any remote attacker who tricks a user into loading a specially crafted .bin or .pt model file into an affected LMDeploy instance. Exploitation requires user interaction, such as manually loading a model from an untrusted source, but needs no privileges. Successful attacks grant attackers arbitrary code execution on the victim's machine with the privileges of the LMDeploy process, potentially leading to full system compromise, data theft, or further lateral movement.
The issue has been addressed in LMDeploy version 0.11.1, where the patch enforces the weights_only=True parameter in torch.load() calls. Official advisories, including GHSA-9pf3-7rrr-x5jh on the project's GitHub security page and the fixing commit eb04b4281c5784a5cff5ea639c8f96b33b3ae5ee, recommend immediate upgrades and caution against loading models from untrusted sources.
Details
- CWE(s)