CVE-2025-10965 | THREATINT

Description

A security vulnerability has been detected in LazyAGI LazyLLM up to 0.6.1. Affected by this issue is the function lazyllm_call of the file lazyllm/components/deploy/relay/server.py. Such manipulation leads to deserialization. The attack can be launched remotely. The exploit has been disclosed publicly and may be used.

Es wurde eine Schwachstelle in LazyAGI LazyLLM up to 0.6.1 entdeckt. Betroffen ist die Funktion lazyllm_call der Datei lazyllm/components/deploy/relay/server.py. Die Manipulation führt zu deserialization. Ein Angriff ist aus der Distanz möglich. Der Exploit ist öffentlich verfügbar und könnte genutzt werden.

PUBLISHED Reserved 2025-09-25 | Published 2025-09-25 | Updated 2025-09-26 | Assigner VulDB

MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

MEDIUM: 6.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

MEDIUM: 6.3CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

6.5AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR

Problem types

Deserialization

Improper Input Validation

Product status

0.6.0

affected

0.6.1

affected

Timeline

2025-09-25:	Advisory disclosed
2025-09-25:	VulDB entry created
2025-09-25:	VulDB entry last update

Credits

0x1f (VulDB User) reporter

References

vuldb.com/?id.325833 (VDB-325833 | LazyAGI LazyLLM server.py lazyllm_call deserialization) vdb-entry technical-description

vuldb.com/?ctiid.325833 (VDB-325833 | CTI Indicators (IOB, IOC, IOA)) signature permissions-required

vuldb.com/?submit.652936 (Submit #652936 | LazyAGI LazyLLM latest Remote Code Execution) third-party-advisory

github.com/LazyAGI/LazyLLM/issues/764 exploit issue-tracking

cve.org (CVE-2025-10965)

nvd.nist.gov (CVE-2025-10965)

Download JSON