Dogewatch

**Name of the Vulnerable Software and Affected Versions** vLLM versions prior to 0.7.0 **Description** The issue concerns the vLLM library, specifically the `vllm/model executor/weight utils.py` file, which implements `hf model weights iterator` to load model checkpoints downloaded from Hugging Face. It utilizes the `torch.load` function with the `weights only` parameter defaulting to `False`. When `torch.load` loads malicious pickle data, it executes arbitrary code during unpickling. This can be exploited to execute arbitrary codes and OS commands on the victim machine that fetches the pre-trained repository remotely. Most models now use the safetensors format, which is not vulnerable to this issue. **Recommendations** For versions prior to 0.7.0, update to version 0.7.0 or later to resolve the issue. As a temporary workaround, consider disabling the use of `torch.load` with untrusted data until a patch is applied. Restrict access to the `vllm/model executor/weight utils.py` module to minimize the risk of exploitation. Avoid using the `weights only` parameter with malicious pickle data in the affected API endpoint until the issue is resolved.