CVE-2025-60455 | THREATINT

Description

Unsafe Deserialization vulnerability in Modular Max Serve before 25.6, specifically when the "--experimental-enable-kvcache-agent" feature is used allowing attackers to execute arbitrary code.

PUBLISHED Reserved 2025-09-26 | Published 2025-11-18 | Updated 2025-11-19 | Assigner mitre

References

github.com/modular/modular/issues/4795

github.com/.../main/max/serve/kvcache_agent/kvcache_agent.py

github.com/...ommit/10620059fb5c47fb0c30e5d21a8ff3b8d622fba4

github.com/...ommit/ee9c4ab02345dd30bed8b79771b6909ff1b930a1

github.com/...ommit/b20e749fa892dbe772e890a268002f732164d9f5

www.oligo.security/...ulnerabilities-across-the-ai-ecosystem

cve.org (CVE-2025-60455)

nvd.nist.gov (CVE-2025-60455)

Download JSON