VYPR

Verl

by Volcengine

Source repositories

CVEs (1)

  • CVE-2025-50461MedAug 19, 2025
    risk 0.42cvss 6.5epss 0.00

    A deserialization vulnerability exists in Volcengine's verl 3.0.0, specifically in the scripts/model_merger.py script when using the "fsdp" backend. The script calls torch.load() with weights_only=False on user-supplied .pt files, allowing attackers to execute arbitrary code if…