{"data":{"id":"bd9b18b7-4e75-432b-9da2-f8afe0549f6c","title":"CVE-2024-9053: vllm-project vllm version 0.6.0 contains a vulnerability in the AsyncEngineRPCServer() RPC server entrypoints. The core ","summary":"vllm version 0.6.0 has a vulnerability in its RPC server (a system that allows remote programs to request operations) where the _make_handler_coro() function uses cloudpickle.loads() to process incoming messages without checking if they're safe first. An attacker can send malicious serialized data (pickle is a format for converting Python objects into bytes) to execute arbitrary code on the affected system.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2024-9053","publishedAt":"2025-03-20T14:15:46.327Z","cveId":"CVE-2024-9053","cweIds":["CWE-502","CWE-78"],"cvssScore":"9.8","cvssSeverity":"critical","severity":"critical","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["HuggingFace"],"affectedVendorsRaw":["vLLM","vllm-project"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.02179,"patchAvailable":null,"disclosureDate":null,"capecIds":["CAPEC-586","CAPEC-88"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality","availability"],"aiComponentTargeted":"inference","llmSpecific":true,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}