CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 1CVE-2025-3163 – InternLM LMDeploy conf.py open code injection
https://notcve.org/view.php?id=CVE-2025-3163
03 Apr 2025 — A vulnerability was found in InternLM LMDeploy up to 0.7.1. It has been declared as critical. Affected by this vulnerability is the function Open of the file lmdeploy/docs/en/conf.py. The manipulation leads to code injection. It is possible to launch the attack on the local host. • https://vuldb.com/?id.303109 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 1CVE-2025-3162 – InternLM LMDeploy PT File utils.py load_weight_ckpt deserialization
https://notcve.org/view.php?id=CVE-2025-3162
03 Apr 2025 — A vulnerability was found in InternLM LMDeploy up to 0.7.1. It has been classified as critical. Affected is the function load_weight_ckpt of the file lmdeploy/lmdeploy/vl/model/utils.py of the component PT File Handler. The manipulation leads to deserialization. Attacking locally is a requirement. • https://github.com/InternLM/lmdeploy/issues/3255 • CWE-20: Improper Input Validation CWE-502: Deserialization of Untrusted Data •