GHSA-ggpf-24jw-3fcw: 
vLLM vulnerability analysis and mitigation

The vulnerability (GHSA-ggpf-24jw-3fcw / CVE-2025-24357) affects vLLM versions prior to 0.8.0 and relates to a malicious model remote code execution (RCE) fix bypass when using PyTorch versions before 2.6.0. The issue was discovered in April 2025 and stems from an incomplete fix that relied on the weights_only=True parameter in torch.load() calls, which was found to be insufficient in preventing RCE attacks in earlier PyTorch versions (GitHub Advisory).

The vulnerability is rated as Critical with a CVSS score of 9.8. The issue occurs when loading model checkpoints using torch.load() with weightsonly=True, which was previously considered a safe approach. By default, when users install vLLM, it installs PyTorch version 2.5.1, which contains this security weakness. The vulnerability exists because the weightsonly=True parameter, intended as a security measure, was proven ineffective in PyTorch versions 2.5.1 and earlier (GitHub Advisory, PyTorch Advisory).

When exploited, this vulnerability allows attackers to execute arbitrary code on the vLLM host system through malicious model files. The attack has high impact on confidentiality, integrity, and availability of the system, requiring no special privileges to execute (GitHub Advisory).

The vulnerability has been patched in vLLM version 0.8.0. The primary mitigation is to update PyTorch to version 2.6.0 or later, which properly implements the security fix for the weights_only=True parameter. Users should upgrade their vLLM installation to version 0.8.0 or later to receive the fixed PyTorch dependency (GitHub Advisory).