Vulnerability Details CVE-2024-9053
vllm-project vllm version 0.6.0 contains a vulnerability in the AsyncEngineRPCServer() RPC server entrypoints. The core functionality run_server_loop() calls the function _make_handler_coro(), which directly uses cloudpickle.loads() on received messages without any sanitization. This can result in remote code execution by deserializing malicious pickle data.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.005
EPSS Ranking 63.4%
CVSS Severity
CVSS v3 Score 9.8
Products affected by CVE-2024-9053
-
cpe:2.3:a:vllm-project:vllm:0.6.0