CVE-2025-4701 is a medium-severity vulnerability identified in the VITA-MLLM Freeze-Omni product, specifically affecting versions up to 20250421. The vulnerability arises from insecure deserialization in the torch.load function within the models/utils.py file. Deserialization vulnerabilities occur when untrusted input is deserialized, potentially allowing an attacker to execute arbitrary code or manipulate application logic. In this case, the vulnerability is triggered by manipulation of the 'path' argument passed to torch.load, which is responsible for loading serialized PyTorch model objects. The attack vector is local host only, meaning exploitation requires local access with low privileges (PR:L). The CVSS 4.0 vector indicates low complexity (AC:L), no user interaction (UI:N), and low impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). No known exploits are currently reported in the wild. The vulnerability does not require authentication tokens or user interaction but does require the attacker to have local access to the system where Freeze-Omni is deployed. Given that torch.load is a common method for loading machine learning models, improper validation of input paths can lead to deserialization of malicious payloads embedded within model files or paths, potentially allowing code execution or system manipulation. However, the scope is limited to local exploitation, reducing the risk of remote attacks. The lack of available patches or mitigation links suggests that users must rely on configuration or operational controls until an official fix is released.

For European organizations utilizing VITA-MLLM Freeze-Omni, particularly those deploying machine learning models locally, this vulnerability presents a risk of local privilege escalation or unauthorized code execution. While the attack requires local access, insider threats or compromised endpoints could exploit this to manipulate model loading processes, potentially leading to data corruption, unauthorized data access, or disruption of AI-driven services. Given the increasing reliance on AI and machine learning in sectors such as finance, healthcare, and manufacturing across Europe, exploitation could undermine trust in automated decision-making systems or cause operational disruptions. However, the limited attack vector (local only) and medium severity reduce the likelihood of widespread impact unless combined with other vulnerabilities or social engineering to gain local access. Organizations with strict endpoint security and access controls will be less vulnerable, but those with less mature internal security controls or remote desktop access may face higher risks.

To mitigate this vulnerability, European organizations should implement strict access controls to limit local access to systems running Freeze-Omni. Employing endpoint security solutions that monitor and restrict unauthorized code execution can reduce exploitation risk. Administrators should audit and restrict file system permissions to prevent untrusted users from placing or modifying model files or paths used by torch.load. Additionally, organizations should consider sandboxing or containerizing the Freeze-Omni environment to isolate potential malicious deserialization attempts. Until an official patch is released, disabling or restricting the use of torch.load for untrusted inputs is advisable. Monitoring logs for unusual file access or loading operations can help detect exploitation attempts. Finally, organizations should maintain up-to-date backups of models and configurations to recover from potential tampering.