This vulnerability affects the sendMessage function within the grpc_server.py file of the FedML gRPC server component in versions 0.8.0 through 0.8.9. An attacker can remotely manipulate inputs to trigger unsafe deserialization, potentially leading to unintended code execution or other impacts associated with deserialization flaws. The CVSS 4.0 base score is 6.9, reflecting network attack vector, no privileges required, no user interaction, and low to low impact on confidentiality, integrity, and availability. No official remediation or patch has been published, and the vendor has not responded to disclosure attempts.

Successful exploitation could allow a remote attacker to cause unsafe deserialization in the FedML gRPC server, potentially leading to partial compromise of confidentiality, integrity, or availability of the affected system. The impact is rated medium severity with low to low impact on security properties. There are no known exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since the vendor has not responded or provided a fix, users should consider implementing network-level protections such as restricting access to the gRPC server to trusted sources and monitoring for unusual activity related to the sendMessage function. Avoid exposing the vulnerable service to untrusted networks until a patch or official mitigation is available.