Technical description
LMDeploy (InternLM's toolkit for compressing, deploying, and serving large language models) versions 0.12.3 and earlier hardcode trust_remote_code=True across multiple HuggingFace model-loading call sites. This means any HuggingFace model loaded by LMDeploy can execute arbitrary Python code during model initialisation without any user prompt or override option. CVSS 7.8 (High). No patch was available at the time of NVD publication on June 10, 2026.
Attack vector
An attacker who can cause a LMDeploy deployment to load a malicious or poisoned HuggingFace model (e.g. via supply-chain compromise of a model registry, a model recommendation mechanism, or a developer downloading an attacker-controlled model) will achieve arbitrary code execution in the context of the LMDeploy process — typically running with cloud IAM roles or GPU cluster credentials.
Affected systems
LMDeploy versions ≤ 0.12.3 (InternLM/lmdeploy on GitHub); any ML inference pipeline, fine-tuning workflow, or model-evaluation system using LMDeploy to serve or benchmark HuggingFace models.
Mitigation
No patch available as of June 10, 2026. Interim controls: (1) Only load models from verified, internally-curated model registries with provenance checksums; (2) Run LMDeploy processes in sandboxed environments with minimal IAM permissions and network egress restrictions; (3) Audit current LMDeploy deployments for any externally-sourced model; (4) Track the InternLM GitHub advisory (GHSA-m549-qq94-fvhg) for patch release and update immediately when available.