We use cookies to improve your experience on our site.
AVID-2026-R1688
Description
InternLM LMDeploy conf.py open code injection (CVE-2025-3163)
Details
A vulnerability was found in InternLM LMDeploy up to 0.7.1. It has been declared as critical. Affected by this vulnerability is the function Open of the file lmdeploy/docs/en/conf.py. The manipulation leads to code injection. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used.
Reason for inclusion in AVID: The CVE describes a code injection vulnerability in InternLM LMDeploy (a deployment tool used in AI pipelines). It affects a component used to deploy AI systems and could enable code execution on the host. This is a software supply-chain/infrastructure vulnerability within AI software stacks, with public CVE and CWE references supporting its severity and nature.
References
- NVD entry
- https://vuldb.com/?id.303109
- https://vuldb.com/?ctiid.303109
- https://vuldb.com/?submit.542527
- https://github.com/InternLM/lmdeploy/issues/3254
- https://github.com/InternLM/lmdeploy/issues/3254#issue-2918865448
Affected or Relevant Artifacts
- Developer: InternLM
- Deployer: InternLM
- Artifact Details:
| Type | Name |
|---|---|
| System | LMDeploy |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.1 |
| Vector String | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
| Base Score | 5.3 |
| Base Severity | 🟠 Medium |
CWE
| ID | Description |
|---|---|
| CWE-94 | Code Injection |
| CWE-74 | Injection |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2025-04-03
- Version: 0.3.3
- AVID Entry