CVE-2025-60455 — Modular Max Serve has Unsafe Deserialization vulnerability

Description

Unsafe Deserialization vulnerability in Modular Max Serve before 25.6, specifically when the "--experimental-enable-kvcache-agent" feature is used allowing attackers to execute arbitrary code.

How to fix CVE-2025-60455

To remediate CVE-2025-60455, upgrade the affected package to a fixed version below.

PyPI/modular—upgrade to 25.6.0 or later

Is CVE-2025-60455 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 25.6.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-60455
PATCHgithub.com/modular/modular
WEBgithub.com/modular/modular/blame/main/max/serve/kvcache_agent/kvcache_agent.py#L220
WEBgithub.com/modular/modular/commit/10620059fb5c47fb0c30e5d21a8ff3b8d622fba4