Security Advisory

CVE-2025-67729

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2025-12-26 21:54:10

Last updated 2025-12-26 22:10:54

Assigner GitHub_M

State PUBLISHED

Description

LMDeploy is a toolkit for compressing, deploying, and serving LLMs. Prior to version 0.11.1, an insecure deserialization vulnerability exists in lmdeploy where torch.load() is called without the weights_only=True parameter when loading model checkpoint files. This allows an attacker to execute arbitrary code on the victims machine when they load a malicious .bin or .pt model file. This issue has been patched in version 0.11.1.

← Browse all CVEs View on cve.org ↗