From 33afcfdcd386845f724c028dac1bf23efcc173e8 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Wed, 23 Apr 2025 02:27:24 +0000 Subject: [PATCH] Publish GHSA-ggpf-24jw-3fcw --- .../GHSA-ggpf-24jw-3fcw.json | 63 +++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 advisories/github-reviewed/2025/04/GHSA-ggpf-24jw-3fcw/GHSA-ggpf-24jw-3fcw.json diff --git a/advisories/github-reviewed/2025/04/GHSA-ggpf-24jw-3fcw/GHSA-ggpf-24jw-3fcw.json b/advisories/github-reviewed/2025/04/GHSA-ggpf-24jw-3fcw/GHSA-ggpf-24jw-3fcw.json new file mode 100644 index 00000000000..9e7da36b66a --- /dev/null +++ b/advisories/github-reviewed/2025/04/GHSA-ggpf-24jw-3fcw/GHSA-ggpf-24jw-3fcw.json @@ -0,0 +1,63 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-ggpf-24jw-3fcw", + "modified": "2025-04-23T02:26:06Z", + "published": "2025-04-23T02:26:06Z", + "aliases": [], + "summary": "CVE-2025-24357 Malicious model remote code execution fix bypass with PyTorch < 2.6.0", + "details": "## Description\n\nhttps://github.com/vllm-project/vllm/security/advisories/GHSA-rh4j-5rhw-hr54 reported a vulnerability where loading a malicious model could result in code execution on the vllm host. The fix applied to specify `weights_only=True` to calls to `torch.load()` did not solve the problem prior to PyTorch 2.6.0.\n\nPyTorch has issued a new CVE about this problem: https://github.com/advisories/GHSA-53q9-r3pm-6pq6\n\nThis means that versions of vLLM using PyTorch before 2.6.0 are vulnerable to this problem.\n## Background Knowledge\nWhen users install VLLM according to the official manual\n![image](https://github.com/user-attachments/assets/d17e0bdb-26f2-46d6-adf6-0b17e5ddf5c7)\n\nBut the version of PyTorch is specified in the requirements. txt file\n![image](https://github.com/user-attachments/assets/94aad622-ad6d-4741-b772-c342727c58c7)\n\nSo by default when the user install VLLM, it will install the PyTorch with version 2.5.1\n![image](https://github.com/user-attachments/assets/04ff31b0-aad1-490a-963d-00fda91da47b)\n\nIn CVE-2025-24357, weights_only=True was used for patching, but we know this is not secure.\nBecause we found that using Weights_only=True in pyTorch before 2.5.1 was unsafe\n\nHere, we use this interface to prove that it is not safe.\n![image](https://github.com/user-attachments/assets/0d86efcd-2aad-42a2-8ac6-cc96b054c925)\n\n\n## Fix\nupdate PyTorch version to 2.6.0\n\n## Credit\nThis vulnerability was found By Ji'an Zhou and Li'shuo Song", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "vllm" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.8.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/pytorch/pytorch/security/advisories/GHSA-53q9-r3pm-6pq6" + }, + { + "type": "WEB", + "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-ggpf-24jw-3fcw" + }, + { + "type": "WEB", + "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-rh4j-5rhw-hr54" + }, + { + "type": "PACKAGE", + "url": "https://github.com/vllm-project/vllm" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-1395" + ], + "severity": "CRITICAL", + "github_reviewed": true, + "github_reviewed_at": "2025-04-23T02:26:06Z", + "nvd_published_at": null + } +} \ No newline at end of file