CNNVD-202512-4827 Information
CNNVD ID
CNNVD-202512-4827
Related CVE
- CNNVD Published: 2025-12-26
Description (Chinese)
lmdeploy是InternLM开源的一个用于压缩、部署和服务 LLM 的工具包。 lmdeploy 0.11.1之前版本存在代码问题漏洞,该漏洞源于加载模型检查点文件时未使用weights_only参数,可能导致攻击者通过恶意模型文件在受害者机器上执行任意代码。
Description (English)
Imdeploy is an open-source tool kit for compressing, deploying and servicing LLM. There is a code problem gap in the pre-mdeploy 0.11.1 version, which stems from the fact that the loading of the model inspection point document without the use of the waters only parameters may lead the attackers to enforce random codes on the victim ’ s machine through the malicious model document.
Hazard Level
Medium
Vulnerability Type
代码问题
Affected Vendor
InternLM
Published
2025-12-26
Last Modified
2026-02-24
References
https://github.com/InternLM/lmdeploy/commit/eb04b4281c5784a5cff5ea639c8f96b33b3ae5ee https://github.com/InternLM/lmdeploy/security/advisories/GHSA-9pf3-7rrr-x5jh https://access.redhat.com/security/cve/cve-2025-67729
Patch
https://github.com/InternLM/lmdeploy/releases
Share on: