Description
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Published: 2025-03-20
Score: 2.6 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-6864 vLLM deserialization vulnerability in vllm.distributed.GroupCoordinator.recv_object
Github GHSA Github GHSA GHSA-pgr7-mhp5-fgjp vLLM deserialization vulnerability in vllm.distributed.GroupCoordinator.recv_object
History

Thu, 10 Apr 2025 17:15:00 +0000

Type Values Removed Values Added
Title Remote Code Execution by Pickle Deserialization in vllm-project/vllm vllm: Remote Code Execution by Pickle Deserialization in vllm-project/vllm
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 10 Apr 2025 16:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_0

{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_0

{'score': 2.6, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N'}

Thu, 10 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description vllm-project vllm version 0.6.0 contains a vulnerability in the distributed training API. The function vllm.distributed.GroupCoordinator.recv_object() deserializes received object bytes using pickle.loads() without sanitization, leading to a remote code execution vulnerability. This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Tue, 25 Mar 2025 01:45:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Low

Thu, 20 Mar 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 20 Mar 2025 10:15:00 +0000

Type Values Removed Values Added
Description vllm-project vllm version 0.6.0 contains a vulnerability in the distributed training API. The function vllm.distributed.GroupCoordinator.recv_object() deserializes received object bytes using pickle.loads() without sanitization, leading to a remote code execution vulnerability.
Title Remote Code Execution by Pickle Deserialization in vllm-project/vllm
Weaknesses CWE-502
References
Metrics cvssV3_0

{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: REJECTED

Assigner: @huntr_ai

Published:

Updated: 2025-04-10T16:17:38.776Z

Reserved: 2024-09-20T18:41:05.794Z

Link: CVE-2024-9052

cve-icon Vulnrichment

Updated:

cve-icon NVD

Status : Rejected

Published: 2025-03-20T10:15:46.197

Modified: 2025-04-10T16:15:27.670

Link: CVE-2024-9052

cve-icon Redhat

Severity : Low

Publid Date: 2025-03-20T10:09:31Z

Links: CVE-2024-9052 - Bugzilla

cve-icon OpenCVE Enrichment

No data.

Weaknesses