MEDIUM 5.3
GHSA-7vc5-mjwp-c8fq
LMDeploy Improper Input Validation Vulnerability
Details
A vulnerability was found in InternLM LMDeploy up to 0.7.1. It has been classified as critical. Affected is the function load_weight_ckpt of the file lmdeploy/lmdeploy/vl/model/utils.py of the component PT File Handler. The manipulation leads to deserialization. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used.
Are you affected?
Enter the version of the package you're using.
Affected packages
PyPI / lmdeploy
Introduced in:
0 No fixed version published yet for lmdeploy (pip). Pin to a known-safe version or switch to an alternative.
References
- https://nvd.nist.gov/vuln/detail/CVE-2025-3162 [ADVISORY]
- https://github.com/InternLM/lmdeploy/issues/3255 [WEB]
- https://github.com/InternLM/lmdeploy/issues/3255#issue-2918985270 [WEB]
- https://github.com/InternLM/lmdeploy [PACKAGE]
- https://vuldb.com/?ctiid.303108 [WEB]
- https://vuldb.com/?id.303108 [WEB]
- https://vuldb.com/?submit.542520 [WEB]