vllm-project vllm version v0.6.2 contains a vulnerability in the MessageQueue.dequeue() API function. The function uses pickle.loads to parse received sockets directly, leading to a remote code execution vulnerability. An attacker can exploit this by sending a malicious payload to the MessageQueue, causing the victim's machine to execute arbitrary code.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Thu, 31 Jul 2025 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Vllm
Vllm vllm
CPEs cpe:2.3:a:vllm:vllm:0.6.2:*:*:*:*:*:*:*
Vendors & Products Vllm
Vllm vllm

Tue, 25 Mar 2025 01:45:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Low


Thu, 20 Mar 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 20 Mar 2025 10:15:00 +0000

Type Values Removed Values Added
Description vllm-project vllm version v0.6.2 contains a vulnerability in the MessageQueue.dequeue() API function. The function uses pickle.loads to parse received sockets directly, leading to a remote code execution vulnerability. An attacker can exploit this by sending a malicious payload to the MessageQueue, causing the victim's machine to execute arbitrary code.
Title Remote Code Execution in vllm-project/vllm
Weaknesses CWE-502
References
Metrics cvssV3_0

{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published:

Updated: 2025-03-20T18:18:48.224Z

Reserved: 2024-11-09T04:47:57.295Z

Link: CVE-2024-11041

cve-icon Vulnrichment

Updated: 2025-03-20T17:52:44.204Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-20T10:15:23.420

Modified: 2025-07-31T14:48:32.163

Link: CVE-2024-11041

cve-icon Redhat

Severity : Low

Publid Date: 2025-03-20T10:10:40Z

Links: CVE-2024-11041 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2025-07-13T11:06:21Z