CVE-2025-24357: 
Chainguard vulnerability analysis and mitigation

vLLM, a library for LLM inference and serving, was found to contain a critical security vulnerability (CVE-2025-24357) discovered on January 27, 2025. The vulnerability exists in the hfmodelweightsiterator implementation within vllm/modelexecutor/weightutils.py, which is used to load model checkpoints downloaded from Hugging Face. The issue stems from using torch.load function with weightsonly parameter defaulting to False, potentially allowing arbitrary code execution during unpickling of malicious model data (NVD, Red Hat).

The vulnerability is rooted in the unsafe use of Python's pickle module through torch.load(). When weights_only is set to False (the default), the function uses pickle for deserialization, which is known to be insecure when handling untrusted data. This implementation could allow malicious pickle data to execute arbitrary code during the unpickling process. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating high potential impact on confidentiality, integrity, and availability (GitHub Advisory).

The vulnerability enables potential remote code execution (RCE) on machines that attempt to run a malicious or compromised model using vLLM. An attacker could craft a malicious model that, when loaded, would execute arbitrary code and OS commands on the victim's machine that fetches the pre-trained repository remotely. This poses a significant security risk for systems using vLLM to load models from potentially untrusted sources (GitHub Advisory, Red Hat).

The vulnerability has been fixed in vLLM version 0.7.0 by setting weightsonly=True when using torch.load(). This parameter rewrites the stack machine of the unpickler and ensures that modules and functions are only imported and called from allowlisted safeglobals in the checkpoint. Users are strongly advised to upgrade to version 0.7.0 or later to mitigate this vulnerability (Red Hat, GitHub PR).