What is CVE-2025-3677?

CVE-2025-3677 is a medium-severity vulnerability in Lm-sys Fastchat, classified under Deserialization of Untrusted Data. CVSS score: 5.3/10. Published 2025-04-16.

How severe is CVE-2025-3677?

Medium severity. CVSS v3 base score is 5.3 out of 10.

Deserialization in Lm-sys Fastchat

CVE-2025-3677

A vulnerability classified as critical was found in lm-sys fastchat up to 0.2.36. This vulnerability affects the function split_files/apply_delta_low_cpu_mem of the file fastchat/model/apply_delta.py. The manipulation leads to deserializat…

Vulnerability class: Insecure Deserialization

EPSS: 0.002 (43.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.3 (Medium). Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L.

Affected products

Lm-sys Fastchat — versions 0.2.0, 0.2.1, 0.2.2

Weakness classification (CWE)

References

VDB-304966 | lm-sys fastchat apply_delta.py apply_delta_low_cpu_mem deserialization (vdb-entry, technical-description)
VDB-304966 | CTI Indicators (IOB, IOC, IOA) (signature, permissions-required)
Submit #552755 | lm-sys FastChat v0.2.3 to v0.2.36 Deserialization (third-party-advisory)
github.com/lm-sys/FastChat/issues/3713 (issue-tracking)

Frequently asked questions

What is CVE-2025-3677?: CVE-2025-3677 is a medium-severity vulnerability in Lm-sys Fastchat, classified under Deserialization of Untrusted Data. CVSS score: 5.3/10. Published 2025-04-16.
How severe is CVE-2025-3677?: Medium severity. CVSS v3 base score is 5.3 out of 10.