Submit #652936: LazyAGI LazyLLM latest Remote Code Executioninfo

TitleLazyAGI LazyLLM latest Remote Code Execution
Description### Summary Remote Code Execution Through Insecure Deserialization. ### Details The routing processing function `lazyllm_call` has a deserialization vulnerability in the file [lazyllm/components/deploy/relay/server.py](https://github.com/LazyAGI/LazyLLM/blob/main/lazyllm/components/deploy/relay/server.py#L60-L70). The specific location calls `load_obj->cloudpickle.loads`, which leads to RCE.
Source⚠️ https://github.com/LazyAGI/LazyLLM/issues/764
User
 0x1f (UID 89432)
Submission09/11/2025 19:53 (8 months ago)
Moderation09/25/2025 12:11 (14 days later)
StatusAccepted
VulDB entry325833 [LazyAGI LazyLLM up to 0.6.1 server.py lazyllm_call deserialization]
Points20

PreviousOverviewNext

Do you want to use VulDB in your project?

Use the official API to access entries easily!