CVE-2024-11041

vllm-project vllm version v0.6.2 contains a vulnerability in the MessageQueue.dequeue() API function. The function uses pickle.loads to parse received sockets directly, leading to a remote code execution vulnerability. An attacker can exploit this by sending a malicious payload to the MessageQueue, causing the victim's machine to execute arbitrary code.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://huntr.com/bounties/00136195-11e0-4ad0-98d5-72db066e867f	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:vllm:vllm:0.6.2:*:*:*:*:*:*:*

History

31 Jul 2025, 14:48

Type	Values Removed	Values Added
References	~~() https://huntr.com/bounties/00136195-11e0-4ad0-98d5-72db066e867f -~~	() https://huntr.com/bounties/00136195-11e0-4ad0-98d5-72db066e867f - Exploit, Third Party Advisory
First Time		Vllm vllm Vllm
Summary		(es) vllm-project vllm versión v0.6.2 contiene una vulnerabilidad en la función de la API MessageQueue.dequeue(). Esta función utiliza pickle.loads para analizar directamente los sockets recibidos, lo que genera una vulnerabilidad de ejecución remota de código. Un atacante puede explotar esto enviando un payload a MessageQueue, lo que provoca que el equipo de la víctima ejecute código arbitrario.
CPE		cpe:2.3:a:vllm:vllm:0.6.2:::::::*

20 Mar 2025, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-20 10:15

Updated : 2025-07-31 14:48

NVD link : CVE-2024-11041

Mitre link : CVE-2024-11041

CVE.ORG link : CVE-2024-11041

JSON object : View

Products Affected

vllm

vllm

CWE

CWE-502

Deserialization of Untrusted Data

9.8 /10