Critical Remote Code Execution Vulnerability in vLLM via Mooncake Integration

vLLM, a popular library for Large Language Model (LLM) inference and serving, has recently addressed a critical security vulnerability. With over 43k stars on GitHub, vLLM is widely used, so this is important! The vulnerability, identified as CVE-2025-29783, carries the maximum CVSS score of 10, indicating its severity.

The vulnerability lies in vLLM’s integration with Mooncake, a feature used for distributed LLM deployments. When vLLM is configured to use Mooncake, it exposes an unsafe deserialization process directly over ZMQ/TCP. This exposure allows attackers to execute remote code on distributed hosts.

The core issue involves the use of pickle.loads(), a known source of security vulnerabilities. As the security advisory states, “The root problem is recv tensor() calls recv impl which passes the raw network bytes to pickle.loads().”

Several factors contribute to the severity of this vulnerability:

Pickle Deserialization: Pickle deserialization vulnerabilities are well-known in the security community.
Network Exposure: The mooncake pipe is exposed over the network by design, using ZMQ over TCP. This significantly increases the exploitability of the vulnerability.
Lack of Network Controls: The mooncake integration opens sockets on all interfaces, and it “does not appear that there are any controls (network, authentication, etc) to prevent arbitrary users from sending this payload to the affected service.”

In essence, this vulnerability allows for remote code execution on any deployments using Mooncake to distribute KV across distributed hosts. If you are using vLLM with Mooncake, immediate action is required.

The vulnerability impacts vLLM versions greater than or equal to 0.6.5 and less than 0.8.0. The patched version is 0.8.0. Upgrade to vLLM version 0.8.0 as soon as possible. The issue has been resolved by PR #14228.

Rate this post

Leave a Reply Cancel reply

Website

Related Posts:

Leave a Reply Cancel reply