VYPR

PyPI package

lmdeploy

pkg:pypi/lmdeploy

Vulnerabilities (4)

  • CVE-2026-33626HigApr 20, 2026
    affected <= 0.12.2

    LMDeploy is a toolkit for compressing, deploying, and serving large language models. Versions prior to 0.12.3 have a Server-Side Request Forgery (SSRF) vulnerability in LMDeploy's vision-language module. The `load_image()` function in `lmdeploy/vl/utils.py` fetches arbitrary URLs

  • CVE-2025-67729Dec 26, 2025
    affected < 0.11.1fixed 0.11.1

    LMDeploy is a toolkit for compressing, deploying, and serving LLMs. Prior to version 0.11.1, an insecure deserialization vulnerability exists in lmdeploy where torch.load() is called without the weights_only=True parameter when loading model checkpoint files. This allows an attac

  • CVE-2025-3163Apr 3, 2025
    affected <= 0.7.1

    A vulnerability was found in InternLM LMDeploy up to 0.7.1. It has been declared as critical. Affected by this vulnerability is the function Open of the file lmdeploy/docs/en/conf.py. The manipulation leads to code injection. It is possible to launch the attack on the local host.

  • CVE-2025-3162Apr 3, 2025
    affected <= 0.7.1

    A vulnerability was found in InternLM LMDeploy up to 0.7.1. It has been classified as critical. Affected is the function load_weight_ckpt of the file lmdeploy/lmdeploy/vl/model/utils.py of the component PT File Handler. The manipulation leads to deserialization. Attacking locally