VDB

CVE-2024-9053

CVE-2024-9053 PUBLISHED CVSS 9.800000190734863 CRITICAL

vllm-project vllm version 0.6.0 contains a vulnerability in the AsyncEngineRPCServer() RPC server entrypoints. The core functionality run_server_loop() calls the function _make_handler_coro(), which directly uses cloudpickle.loads() on received messages without any sanitization. This can result in remote code execution by deserializing malicious pickle data.

EPSS 10.02% · 93.2th percentile

Risk Scores

CVSS v3.0
9.800000190734863
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
10.02%
93.2th percentile

Affected Products

VendorProductVersions
vllm-projectvllm0.6.0
PyPIvllm0
vllm-projectvllm-project/vllmunspecified

Timeline

  • Mar 20, 2025 CVE Published
  • Mar 20, 2025 EPSS Score
  • Mar 20, 2025 Coalition ESS Score
  • Mar 20, 2025 PoC Published
  • Mar 20, 2025 PoC Published
  • Apr 2, 2025 EPSS Score
  • Apr 16, 2025 EPSS Score
  • Apr 29, 2025 EPSS Score
  • May 7, 2025 Coalition ESS Score
  • May 12, 2025 EPSS Score
  • May 25, 2025 EPSS Score
  • Jun 8, 2025 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›