CVE-2025-60455

Nov. 19, 2025, 7:15 p.m.

8.4
High

Description

Unsafe Deserialization vulnerability in Modular Max Serve before 25.6, specifically when the "--experimental-enable-kvcache-agent" feature is used allowing attackers to execute arbitrary code.

Product(s) Impacted

Product Versions
max_serve
  • <25.6

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-502
Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References

https://github.com/modular/modular/blame/main/max/serve/kvcache_agent/kvcache_agent.py#L220
https://github.com/modular/modular/commit/10620059fb5c47fb0c30e5d21a8ff3b8d622fba4
https://github.com/modular/modular/commit/b20e749fa892dbe772e890a268002f732164d9f5
https://github.com/modular/modular/commit/ee9c4ab02345dd30bed8b79771b6909ff1b930a1
https://github.com/modular/modular/issues/4795
https://www.oligo.security/blog/shadowmq-how-code-reuse-spread-critical-vulnerabilities-across-the-ai-ecosystem

Tags

cve@mitre.org
CWE-502
2025-11-18
CVE-2025-60455

CVSS Score

8.4 / 10

CVSS Data - 3.1

  • Attack Vector: LOCAL
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH

    • CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    View Vector String

Timeline

Published: Nov. 18, 2025, 7:15 p.m.
Last Modified: Nov. 19, 2025, 7:15 p.m.

Status : Awaiting Analysis

CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

More info

Source

cve@mitre.org

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.