CNNVD-202601-3347 Information
CNNVD ID
CNNVD-202601-3347
Related CVE
- CNNVD Published: 2026-01-21
Description (Chinese)
vLLM是vLLM开源的一个适用于 LLM 的高吞吐量和内存高效推理和服务引擎。 vLLM 0.10.1版本至0.14.0之前版本存在代码注入漏洞,该漏洞源于在模型解析期间加载Hugging Face auto_map动态模块时未受信任远程代码控制,可能导致攻击者在模型加载时执行任意代码。
Description (English)
vLLM is a high-volume throughput and memory efficient reasoning and service engine for VLLM open source. vLM version 0.10.0.1 to 0.14.0 has a code-injecting loophole, which stems from the fact that the loading of the Hugging Face auto map dynamic module during the model analysis was not controlled by a trusted remote code, which may result in any code being implemented by the assailant when the model is loaded.
Hazard Level
Medium
Vulnerability Type
代码注入
Affected Vendor
vLLM
Published
2026-01-21
Last Modified
2026-02-24
References
https://github.com/vllm-project/vllm/commit/78d13ea9de4b1ce5e4d8a5af9738fea71fb024e5 https://github.com/vllm-project/vllm/pull/32194 https://github.com/vllm-project/vllm/releases/tag/v0.14.0 https://github.com/vllm-project/vllm/security/advisories/GHSA-2pc9-4j83-qjmr
Patch
https://github.com/vllm-project/vllm/releases
Share on: