Merge pull request #5444 from github/russellb-GHSA-pgr7-mhp5-fgjp

Author: advisory-database[bot]

Diff for: advisories/github-reviewed/2025/03/GHSA-pgr7-mhp5-fgjp/GHSA-pgr7-mhp5-fgjp.json

@@ -7,11 +7,11 @@
     "CVE-2024-9052"
   ],
   "summary": "vLLM deserialization vulnerability in vllm.distributed.GroupCoordinator.recv_object",
-  "details": "vllm-project vllm version 0.6.0 contains a vulnerability in the distributed training API. The function vllm.distributed.GroupCoordinator.recv_object() deserializes received object bytes using pickle.loads() without sanitization, leading to a remote code execution vulnerability.",
+  "details": "vllm-project vllm version 0.6.0 contains a vulnerability in the distributed training API. The function vllm.distributed.GroupCoordinator.recv_object() deserializes received object bytes using pickle.loads() without sanitization, leading to a remote code execution vulnerability.\n\n**Note that vLLM does NOT use the code as described in the report on huntr. The problem only exists if you use these internal APIs in a way that exposes them to a network as described. The vllm team was not involved in the analysis of this report and the decision to assign it a CVE.** ",
   "severity": [
     {
       "type": "CVSS_V3",
-      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
     }
   ],
   "affected": [