Description

LMDeploy is a toolkit for compressing, deploying, and serving LLMs. Prior to version 0.11.1, an insecure deserialization vulnerability exists in lmdeploy where torch.load() is called without the weights_only=True parameter when loading model checkpoint files. This allows an attacker to execute arbitrary code on the victim's machine when they load a malicious .bin or .pt model file. This issue has been patched in version 0.11.1.

INFO

Published Date :

2025-12-26T21:54:10.137Z

Last Modified :

2025-12-26T22:10:54.833Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-67729 vulnerability.

Vendors Products
Internlm
  • Lmdeploy
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-67729.

URL Resource
https://github.com/InternLM/lmdeploy/commit/eb04b4281c5784a5cff5ea639c8f96b33b3ae5ee cve-icon cve-icon
https://github.com/InternLM/lmdeploy/security/advisories/GHSA-9pf3-7rrr-x5jh cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact