Miggo Logo
Miggo Vulnerability Database
CVE-2025-3162

CVE-2025-3162: LMDeploy Improper Input Validation Vulnerability

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-3162
GHSA ID
GHSA-7vc5-mjwp-c8fq
EPSS Score
0.05471%
CWE
CWE-20
Published
4/3/2025
Updated
4/4/2025
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
lmdeploypip<= 0.7.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is clearly described in multiple sources (GitHub issue, CVE, VulDB) as being in the load_weight_ckpt function in lmdeploy/lmdeploy/vl/model/utils.py. The function's vulnerability stems from its unsafe use of torch.load() without proper input validation or security parameters. This is a direct input processing function that handles checkpoint files, and the exploit demonstration shows how malicious .pt files can trigger arbitrary code execution through this function. Since all sources consistently point to this single function as the vulnerability point, and the exploit path is clearly demonstrated, the confidence in this identification is high.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility w*s *oun* in Int*rnLM LM**ploy up to *.*.*. It **s ***n *l*ssi*i** *s *riti**l. *****t** is t** *un*tion lo**_w*i**t_*kpt o* t** *il* lm**ploy/lm**ploy/vl/mo**l/utils.py o* t** *ompon*nt PT *il* **n*l*r. T** m*nipul*tion l***s to **s*

Reasoning

T** vuln*r**ility is *l**rly **s*ri*** in multipl* sour**s (*it*u* issu*, *V*, Vul**) *s **in* in t** lo**_w*i**t_*kpt *un*tion in lm**ploy/lm**ploy/vl/mo**l/utils.py. T** *un*tion's vuln*r**ility st*ms *rom its uns*** us* o* tor**.lo**() wit*out pro