CVE-2025-3677: A vulnerability classified as critical was found in lm-sys fastchat up to 0.2.36. This vulnerability affects the functio
Summary
A critical vulnerability (CVE-2025-3677) was found in lm-sys FastChat version 0.2.36 and earlier in the file apply_delta.py. The flaw involves deserialization (converting data back into code or objects, which can be dangerous if the data comes from an untrusted source) and can only be exploited by someone with local access to the affected system.
Vulnerability Details
5.3(medium)
EPSS: 0.1%
Classification
Affected Vendors
Related Issues
CVE-2024-37052: Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://nvd.nist.gov/vuln/detail/CVE-2025-3677
First tracked: February 15, 2026 at 08:48 PM
Classified by LLM (prompt v3) · confidence: 85%