HIGH 8.8

PYSEC-2025-58

Details

vLLM is a library for LLM inference and serving. vllm/model_executor/weight_utils.py implements hf_model_weights_iterator to load the model checkpoint, which is downloaded from huggingface. It uses the torch.load function and the weights_only parameter defaults to False. When torch.load loads malicious pickle data, it will execute arbitrary code during unpickling. This vulnerability is fixed in v0.7.0.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / vllm

Introduced in: 0 Fixed in: d3d6bb13fb62da3234addf6574922a4ec0513d04

Fix pip install --upgrade 'vllm>=d3d6bb13fb62da3234addf6574922a4ec0513d04'

References

https://github.com/vllm-project/vllm/security/advisories/GHSA-rh4j-5rhw-hr54 [ADVISORY]
https://github.com/vllm-project/vllm/commit/d3d6bb13fb62da3234addf6574922a4ec0513d04 [FIX]
https://github.com/vllm-project/vllm/pull/12366 [REPORT]
https://pytorch.org/docs/stable/generated/torch.load.html [WEB]