CVE-2025-24357

Name of the Vulnerable Software and Affected Versions vLLM versions prior to 0.7.0

Description The issue concerns the vLLM library, specifically the vllm/model executor/weight utils.py file, which implements hf model weights iterator to load model checkpoints downloaded from Hugging Face. It utilizes the torch.load function with the weights only parameter defaulting to False. When torch.load loads malicious pickle data, it executes arbitrary code during unpickling. This can be exploited to execute arbitrary codes and OS commands on the victim machine that fetches the pre-trained repository remotely. Most models now use the safetensors format, which is not vulnerable to this issue.

Recommendations For versions prior to 0.7.0, update to version 0.7.0 or later to resolve the issue. As a temporary workaround, consider disabling the use of torch.load with untrusted data until a patch is applied. Restrict access to the vllm/model executor/weight utils.py module to minimize the risk of exploitation. Avoid using the weights only parameter with malicious pickle data in the affected API endpoint until the issue is resolved.