CVE-2025-3162

MEDIUM

Internlm Lmdeploy < 0.7.1 - Insecure Deserialization

Title source: rule

Description

A vulnerability was found in InternLM LMDeploy up to 0.7.1. It has been classified as critical. Affected is the function load_weight_ckpt of the file lmdeploy/lmdeploy/vl/model/utils.py of the component PT File Handler. The manipulation leads to deserialization. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used.

References (5)

[Exploit, Issue Tracking, Vendor Advisory] https://github.com/InternLM/lmdeploy/issues/3255

[Exploit, Issue Tracking, Vendor Advisory] https://github.com/InternLM/lmdeploy/issues/3255#issue-2918985270

[Permissions Required, VDB Entry] https://vuldb.com/?ctiid.303108

[Third Party Advisory, VDB Entry] https://vuldb.com/?id.303108

[Third Party Advisory, VDB Entry] https://vuldb.com/?submit.542520

Scores

CVSS v3 5.3

EPSS 0.0013

EPSS Percentile 32.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Classification

CWE

CWE-502 CWE-20

Status published

Affected Products (2)

internlm/lmdeploy < 0.7.1

pypi/lmdeploy PyPI

Timeline

Published Apr 03, 2025

Tracked Since Feb 18, 2026