9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-ggpf-24jw-3fcw

EPSS Score

CWE

CWE-1395

Published

4/23/2025

Updated

4/23/2025

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-ggpf-24jw-3fcw

GHSA-ggpf-24jw-3fcw: CVE-2025-24357 Malicious model remote code execution fix bypass with PyTorch < 2.6.0

Description

https://github.com/vllm-project/vllm/security/advisories/GHSA-rh4j-5rhw-hr54 reported a vulnerability where loading a malicious model could result in code execution on the vllm host. The fix applied to specify weights_only=True to calls to torch.load() did not solve the problem prior to PyTorch 2.6.0.

PyTorch has issued a new CVE about this problem: https://github.com/advisories/GHSA-53q9-r3pm-6pq6

This means that versions of vLLM using PyTorch before 2.6.0 are vulnerable to this problem.

Background Knowledge

When users install VLLM according to the official manual

But the version of PyTorch is specified in the requirements. txt file

So by default when the user install VLLM, it will install the PyTorch with version 2.5.1

In CVE-2025-24357, weights_only=True was used for patching, but we know this is not secure. Because we found that using Weights_only=True in pyTorch before 2.5.1 was unsafe

Here, we use this interface to prove that it is not safe.

Fix

update PyTorch version to 2.6.0

Credit

This vulnerability was found By Ji'an Zhou and Li'shuo Song

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-ggpf-24jw-3fcw

GHSA-ggpf-24jw-3fcw:

9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-ggpf-24jw-3fcw

EPSS Score

CWE

CWE-1395

Published

4/23/2025

Updated

4/23/2025

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
vllm	pip	< 0.8.0	0.8.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability arises because the fix applied in vLLM (adding weights_only=True to torch.load calls) is ineffective for versions of PyTorch prior to 2.6.0, as stated in CVE-2025-24357 and the related PyTorch advisory GHSA-53q9-r3pm-6pq6. The commit 8dae1e337b4377b650a03ce020774cc9c48d25a2 (from PR #12366, which fixed the original GHSA-rh4j-5rhw-hr54) shows all the locations where torch.load was modified. These locations remain vulnerable if vLLM is used with an unpatched PyTorch version. The functions listed are those that directly invoke torch.load on potentially untrusted model files or weights, making them the points where malicious code execution could be triggered.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

9.8

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-ggpf-24jw-3fcw: CVE-2025-24357 Malicious model remote code execution fix bypass with PyTorch < 2.6.0

Description

Background Knowledge

Fix

Credit

GHSA-ggpf-24jw-3fcw:

9.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

GHSA-ggpf-24jw-3fcw: CVE-2025-24357 Malicious model remote code execution fix bypass with PyTorch < 2.6.0

Description

Background Knowledge

Fix

Credit

Basic Information

Basic Information

Technical Details

9.8

9.8

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI