CVE-2025-3162

Name of the Vulnerable Software and Affected Versions InternLM LMDeploy versions up to 0.7.1

Description A critical issue was found in InternLM LMDeploy, affecting the function load weight ckpt of the file lmdeploy/lmdeploy/vl/model/utils.py in the component PT File Handler. The manipulation leads to deserialization, and attacking locally is a requirement. The exploit has been disclosed to the public and may be used.

Recommendations To resolve the issue, update to a version later than 0.7.1. As a temporary workaround, consider disabling the load weight ckpt function until a patch is available. Restrict access to the PT File Handler component to minimize the risk of exploitation.