CRITICAL 9.8

PYSEC-2025-222

상세

vllm-project vllm version 0.6.0 contains a vulnerability in the AsyncEngineRPCServer() RPC server entrypoints. The core functionality run_server_loop() calls the function _make_handler_coro(), which directly uses cloudpickle.loads() on received messages without any sanitization. This can result in remote code execution by deserializing malicious pickle data.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

PyPI / vllm

최초 영향 버전: 0

No fixed version published yet for vllm (pip). Pin to a known-safe version or switch to an alternative.

참고

https://huntr.com/bounties/75a544f3-34a3-4da0-b5a3-1495cb031e09 [EVIDENCE]