CVE-2025-3165

MEDIUM

thu-pacman chitu <0.1.0 - Deserialization

Title source: llm

Description

A vulnerability classified as critical has been found in thu-pacman chitu 0.1.0. This affects the function torch.load of the file chitu/chitu/backend.py. The manipulation of the argument ckpt_path/quant_ckpt_dir leads to deserialization. An attack has to be approached locally.

References (4)

[Issue Tracking] https://github.com/thu-pacman/chitu/issues/32

[Permissions Required, VDB Entry] https://vuldb.com/?ctiid.303111

[Permissions Required, VDB Entry] https://vuldb.com/?id.303111

[Permissions Required, VDB Entry] https://vuldb.com/?submit.542529

Scores

CVSS v3 5.3

EPSS 0.0013

EPSS Percentile 32.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Classification

CWE

CWE-502 CWE-20

Status draft

Timeline

Published Apr 03, 2025

Tracked Since Feb 18, 2026