CVE-2025-67729 : InternLM’s lmdeploy Toolkit

CyberDefender 3 mins0

CVE-2025-67729 is a high-severity security vulnerability that affects InternLM’s lmdeploy toolkit, a Python-based toolkit used for compressing, deploying, and serving large language models (LLMs).

Description

The issue is an insecure deserialization vulnerability (CWE-502). In vulnerable versions of lmdeploy (anything before 0.11.1), the library calls torch.load() without the safe parameter weights_only=True when loading model checkpoint files (e.g., .bin or .pt). This function internally uses Python’s pickle deserializer, which can run arbitrary code during deserialization if the input file is malicious.

An attacker can craft a specially designed model file that, when loaded by a vulnerable lmdeploy installation, executes arbitrary code on the victim’s system with the privileges of the user running the software.

Impact

  • Severity: High (CVSS 3.1 base score ~8.8)
  • Attack Vector: Network (loading a model file from an untrusted source)
  • Privileges Required: None
  • User Interaction: Required (victim must load the malicious model file)
  • Security Effects:
    • Confidentiality: High (unauthorized access to data)
    • Integrity: High (can modify system behavior)
    • Availability: High (can disrupt services)

Affected Versions

  • All lmdeploy versions before 0.11.1 are vulnerable.

Fix / Mitigation

The vulnerability was patched in lmdeploy version 0.11.1 by ensuring all calls to torch.load() use the safer weights_only=True parameter, preventing arbitrary code execution during deserialization.

https://github.com/InternLM/lmdeploy/security/advisories/GHSA-9pf3-7rrr-x5jh

https://github.com/InternLM/lmdeploy/commit/eb04b4281c5784a5cff5ea639c8f96b33b3ae5ee

Mitigation steps:

  1. Upgrade lmdeploy to version 0.11.1 or later.
  2. Avoid loading model checkpoint files from untrusted sources.
  3. Use safetensors format where possible since it avoids Python pickle deserialization.

CyberDefender