Skip to main content

CVE-2025-4701: Deserialization in VITA-MLLM Freeze-Omni

Medium
VulnerabilityCVE-2025-4701cvecve-2025-4701
Published: Thu May 15 2025 (05/15/2025, 14:31:04 UTC)
Source: CVE
Vendor/Project: VITA-MLLM
Product: Freeze-Omni

Description

A vulnerability, which was classified as problematic, has been found in VITA-MLLM Freeze-Omni up to 20250421. This issue affects the function torch.load of the file models/utils.py. The manipulation of the argument path leads to deserialization. It is possible to launch the attack on the local host.

AI-Powered Analysis

AILast updated: 07/06/2025, 10:39:34 UTC

Technical Analysis

CVE-2025-4701 is a medium-severity vulnerability identified in the VITA-MLLM Freeze-Omni product, specifically affecting versions up to 20250421. The vulnerability arises from insecure deserialization in the torch.load function within the models/utils.py file. Deserialization vulnerabilities occur when untrusted input is deserialized, potentially allowing an attacker to execute arbitrary code or manipulate application logic. In this case, the vulnerability is triggered by manipulation of the 'path' argument passed to torch.load, which is responsible for loading serialized PyTorch model objects. The attack vector is local host only, meaning exploitation requires local access with low privileges (PR:L). The CVSS 4.0 vector indicates low complexity (AC:L), no user interaction (UI:N), and low impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). No known exploits are currently reported in the wild. The vulnerability does not require authentication tokens or user interaction but does require the attacker to have local access to the system where Freeze-Omni is deployed. Given that torch.load is a common method for loading machine learning models, improper validation of input paths can lead to deserialization of malicious payloads embedded within model files or paths, potentially allowing code execution or system manipulation. However, the scope is limited to local exploitation, reducing the risk of remote attacks. The lack of available patches or mitigation links suggests that users must rely on configuration or operational controls until an official fix is released.

Potential Impact

For European organizations utilizing VITA-MLLM Freeze-Omni, particularly those deploying machine learning models locally, this vulnerability presents a risk of local privilege escalation or unauthorized code execution. While the attack requires local access, insider threats or compromised endpoints could exploit this to manipulate model loading processes, potentially leading to data corruption, unauthorized data access, or disruption of AI-driven services. Given the increasing reliance on AI and machine learning in sectors such as finance, healthcare, and manufacturing across Europe, exploitation could undermine trust in automated decision-making systems or cause operational disruptions. However, the limited attack vector (local only) and medium severity reduce the likelihood of widespread impact unless combined with other vulnerabilities or social engineering to gain local access. Organizations with strict endpoint security and access controls will be less vulnerable, but those with less mature internal security controls or remote desktop access may face higher risks.

Mitigation Recommendations

To mitigate this vulnerability, European organizations should implement strict access controls to limit local access to systems running Freeze-Omni. Employing endpoint security solutions that monitor and restrict unauthorized code execution can reduce exploitation risk. Administrators should audit and restrict file system permissions to prevent untrusted users from placing or modifying model files or paths used by torch.load. Additionally, organizations should consider sandboxing or containerizing the Freeze-Omni environment to isolate potential malicious deserialization attempts. Until an official patch is released, disabling or restricting the use of torch.load for untrusted inputs is advisable. Monitoring logs for unusual file access or loading operations can help detect exploitation attempts. Finally, organizations should maintain up-to-date backups of models and configurations to recover from potential tampering.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
VulDB
Date Reserved
2025-05-15T06:31:33.769Z
Cisa Enriched
true
Cvss Version
4.0
State
PUBLISHED

Threat ID: 682cd0fb1484d88663aec5f9

Added to database: 5/20/2025, 6:59:07 PM

Last enriched: 7/6/2025, 10:39:34 AM

Last updated: 8/14/2025, 1:59:17 AM

Views: 9

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats