GHSA-m549-qq94-fvhg: LMDeploy: Arbitrary code execution via hardcoded trust_remote_code=True in lmdeploy model initialization
highvulnerability
security
Summary
LMDeploy, a model serving tool, hardcodes `trust_remote_code=True` (a setting that allows executing custom Python code from downloaded models) when loading models from HuggingFace. An attacker who can control which model path the system loads could point it to a malicious model repository, causing arbitrary code execution (running any commands they want) with the privileges of the LMDeploy server process. This affects LMDeploy version 0.12.3 and earlier.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Patch Available
Yes
Disclosure Date
May 21, 2026
Classification
Attack Type
Supply Chain
Attack SophisticationModerate
Impact (CIA+S)
integrityconfidentiality
Affected Vendors
HuggingFace
Affected Packages
lmdeploy@< 0.13.0 (fixed: 0.13.0)
Related Issues
Monthly digest — independent AI security research
Original source: https://github.com/advisories/GHSA-m549-qq94-fvhg
First tracked: May 21, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 95%