Lyu Han

1 exploit Active since Dec 2025
CVE-2025-67729 WRITEUP HIGH WRITEUP
LMDeploy < 0.11.1 - Remote Code Execution via Insecure PyTorch Model Deserialization
LMDeploy is a toolkit for compressing, deploying, and serving LLMs. Prior to version 0.11.1, an insecure deserialization vulnerability exists in lmdeploy where torch.load() is called without the weights_only=True parameter when loading model checkpoint files. This allows an attacker to execute arbitrary code on the victim's machine when they load a malicious .bin or .pt model file. This issue has been patched in version 0.11.1.
CVSS 8.8