CVE-2025-4701: Deserialization in VITA-MLLM Freeze-Omni
A vulnerability, which was classified as problematic, has been found in VITA-MLLM Freeze-Omni up to 20250421. This issue affects the function torch.load of the file models/utils.py. The manipulation of the argument path leads to deserialization. It is possible to launch the attack on the local host.
AI Analysis
Technical Summary
CVE-2025-4701 is a medium-severity vulnerability identified in the VITA-MLLM Freeze-Omni product, specifically affecting versions up to 20250421. The vulnerability arises from insecure deserialization in the torch.load function within the models/utils.py file. Deserialization vulnerabilities occur when untrusted input is deserialized, potentially allowing an attacker to execute arbitrary code or manipulate application logic. In this case, the vulnerability is triggered by manipulation of the 'path' argument passed to torch.load, which is responsible for loading serialized PyTorch model objects. The attack vector is local host only, meaning exploitation requires local access with low privileges (PR:L). The CVSS 4.0 vector indicates low complexity (AC:L), no user interaction (UI:N), and low impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). No known exploits are currently reported in the wild. The vulnerability does not require authentication tokens or user interaction but does require the attacker to have local access to the system where Freeze-Omni is deployed. Given that torch.load is a common method for loading machine learning models, improper validation of input paths can lead to deserialization of malicious payloads embedded within model files or paths, potentially allowing code execution or system manipulation. However, the scope is limited to local exploitation, reducing the risk of remote attacks. The lack of available patches or mitigation links suggests that users must rely on configuration or operational controls until an official fix is released.
Potential Impact
For European organizations utilizing VITA-MLLM Freeze-Omni, particularly those deploying machine learning models locally, this vulnerability presents a risk of local privilege escalation or unauthorized code execution. While the attack requires local access, insider threats or compromised endpoints could exploit this to manipulate model loading processes, potentially leading to data corruption, unauthorized data access, or disruption of AI-driven services. Given the increasing reliance on AI and machine learning in sectors such as finance, healthcare, and manufacturing across Europe, exploitation could undermine trust in automated decision-making systems or cause operational disruptions. However, the limited attack vector (local only) and medium severity reduce the likelihood of widespread impact unless combined with other vulnerabilities or social engineering to gain local access. Organizations with strict endpoint security and access controls will be less vulnerable, but those with less mature internal security controls or remote desktop access may face higher risks.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should implement strict access controls to limit local access to systems running Freeze-Omni. Employing endpoint security solutions that monitor and restrict unauthorized code execution can reduce exploitation risk. Administrators should audit and restrict file system permissions to prevent untrusted users from placing or modifying model files or paths used by torch.load. Additionally, organizations should consider sandboxing or containerizing the Freeze-Omni environment to isolate potential malicious deserialization attempts. Until an official patch is released, disabling or restricting the use of torch.load for untrusted inputs is advisable. Monitoring logs for unusual file access or loading operations can help detect exploitation attempts. Finally, organizations should maintain up-to-date backups of models and configurations to recover from potential tampering.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland
CVE-2025-4701: Deserialization in VITA-MLLM Freeze-Omni
Description
A vulnerability, which was classified as problematic, has been found in VITA-MLLM Freeze-Omni up to 20250421. This issue affects the function torch.load of the file models/utils.py. The manipulation of the argument path leads to deserialization. It is possible to launch the attack on the local host.
AI-Powered Analysis
Technical Analysis
CVE-2025-4701 is a medium-severity vulnerability identified in the VITA-MLLM Freeze-Omni product, specifically affecting versions up to 20250421. The vulnerability arises from insecure deserialization in the torch.load function within the models/utils.py file. Deserialization vulnerabilities occur when untrusted input is deserialized, potentially allowing an attacker to execute arbitrary code or manipulate application logic. In this case, the vulnerability is triggered by manipulation of the 'path' argument passed to torch.load, which is responsible for loading serialized PyTorch model objects. The attack vector is local host only, meaning exploitation requires local access with low privileges (PR:L). The CVSS 4.0 vector indicates low complexity (AC:L), no user interaction (UI:N), and low impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). No known exploits are currently reported in the wild. The vulnerability does not require authentication tokens or user interaction but does require the attacker to have local access to the system where Freeze-Omni is deployed. Given that torch.load is a common method for loading machine learning models, improper validation of input paths can lead to deserialization of malicious payloads embedded within model files or paths, potentially allowing code execution or system manipulation. However, the scope is limited to local exploitation, reducing the risk of remote attacks. The lack of available patches or mitigation links suggests that users must rely on configuration or operational controls until an official fix is released.
Potential Impact
For European organizations utilizing VITA-MLLM Freeze-Omni, particularly those deploying machine learning models locally, this vulnerability presents a risk of local privilege escalation or unauthorized code execution. While the attack requires local access, insider threats or compromised endpoints could exploit this to manipulate model loading processes, potentially leading to data corruption, unauthorized data access, or disruption of AI-driven services. Given the increasing reliance on AI and machine learning in sectors such as finance, healthcare, and manufacturing across Europe, exploitation could undermine trust in automated decision-making systems or cause operational disruptions. However, the limited attack vector (local only) and medium severity reduce the likelihood of widespread impact unless combined with other vulnerabilities or social engineering to gain local access. Organizations with strict endpoint security and access controls will be less vulnerable, but those with less mature internal security controls or remote desktop access may face higher risks.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should implement strict access controls to limit local access to systems running Freeze-Omni. Employing endpoint security solutions that monitor and restrict unauthorized code execution can reduce exploitation risk. Administrators should audit and restrict file system permissions to prevent untrusted users from placing or modifying model files or paths used by torch.load. Additionally, organizations should consider sandboxing or containerizing the Freeze-Omni environment to isolate potential malicious deserialization attempts. Until an official patch is released, disabling or restricting the use of torch.load for untrusted inputs is advisable. Monitoring logs for unusual file access or loading operations can help detect exploitation attempts. Finally, organizations should maintain up-to-date backups of models and configurations to recover from potential tampering.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- VulDB
- Date Reserved
- 2025-05-15T06:31:33.769Z
- Cisa Enriched
- true
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 682cd0fb1484d88663aec5f9
Added to database: 5/20/2025, 6:59:07 PM
Last enriched: 7/6/2025, 10:39:34 AM
Last updated: 8/14/2025, 1:59:17 AM
Views: 9
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.