PyPi: Vllm

CVE-2024-9052

Safety vulnerability ID: 76195

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Mar 20, 2025 Updated at Apr 10, 2025

Scan your Python projects for vulnerabilities →

Advisory

vllm-project vllm version 0.6.0 contains a vulnerability in the distributed training API. The function vllm.distributed.GroupCoordinator.recv_object() deserializes received object bytes using pickle.loads() without sanitization, leading to a remote code execution vulnerability.

Affected package

vllm

Latest version: 0.8.3

A high-throughput and memory-efficient inference and serving engine for LLMs

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

https://huntr.com/bounties/ea75728f-4efe-4a3d-9f53-33f2c908e9f8
https://github.com/advisories/GHSA-pgr7-mhp5-fgjp
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9052

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application