{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "fixed": "25.6.0" } ] }, "events": [ { "introduced": "0" }, { "fixed": "f2f9aa604e175a65407235704bbe52ddf9df038b" }, { "fixed": "10620059fb5c47fb0c30e5d21a8ff3b8d622fba4" }, { "fixed": "b20e749fa892dbe772e890a268002f732164d9f5" }, { "fixed": "ee9c4ab02345dd30bed8b79771b6909ff1b930a1" } ], "repo": "https://github.com/modular/modular", "type": "GIT" } ] } ], "details": "Unsafe Deserialization vulnerability in Modular Max Serve before 25.6, specifically when the \"--experimental-enable-kvcache-agent\" feature is used allowing attackers to execute arbitrary code.", "id": "CVE-2025-60455", "modified": "2026-04-01T23:08:02.108810976Z", "published": "2025-11-18T19:15:49.800Z", "references": [ { "type": "WEB", "url": "https://github.com/modular/modular/blame/main/max/serve/kvcache_agent/kvcache_agent.py#L220" }, { "type": "FIX", "url": "https://github.com/modular/modular/commit/10620059fb5c47fb0c30e5d21a8ff3b8d622fba4" }, { "type": "FIX", "url": "https://github.com/modular/modular/commit/b20e749fa892dbe772e890a268002f732164d9f5" }, { "type": "FIX", "url": "https://github.com/modular/modular/commit/ee9c4ab02345dd30bed8b79771b6909ff1b930a1" }, { "type": "FIX", "url": "https://github.com/modular/modular/issues/4795" }, { "type": "EVIDENCE", "url": "https://www.oligo.security/blog/shadowmq-how-code-reuse-spread-critical-vulnerabilities-across-the-ai-ecosystem" } ], "severity": [ { "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "type": "CVSS_V3" } ] }