vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Versions starting from 0.6.5 and prior to 0.8.5, having vLLM integration with mooncake, are vulnerable to remote code execution due to using pickle based serialization over unsecured ZeroMQ sockets. The vulnerable sockets were set to listen on all network interfaces, increasing the likelihood that an attacker is able to reach the vulnerable ZeroMQ sockets to carry out an attack. vLLM instances that do not make use of the mooncake integration are not vulnerable. This issue has been patched in version 0.8.5.
The vulnerable vLLM integration with mooncake uses the pickle format to serialize data transmitted over ZeroMQ sockets. These sockets are configured to listen on all network interfaces, significantly increasing the accessibility of network-based attacks. Since communication is not secured with authentication or encryption, an unauthenticated attacker can send a crafted pickle payload that, when deserialized, causes arbitrary code execution on the server (CWE-502: Deserialization of Untrusted Data).
An attacker without any authentication and with network access to the vulnerable host can gain full control over the server — execute arbitrary code, access data, and affect system availability and integrity (full C/I/A: HIGH with scope Changed).
Update vLLM to version 0.8.5 or newer, which contains the patch eliminating the vulnerability. Until the update is applied, it is recommended to restrict network access to ZeroMQ ports using a firewall and disable mooncake integration if not required.
vLLM in versions 0.6.5 to 0.8.5 (only) with active mooncake integration. vLLM instances not using mooncake integration are not vulnerable.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HVllm
APPVllm0.6.5 – 0.8.5 (bez)
Related vulnerabilities
Pominięcie uwierzytelnienia w vLLM — bypass klucza API OpenAI
vLLM: wyciek adresu sterty umożliwiający RCE przez endpoint multimodalny
vLLM: niezamierzone nasłuchiwanie TCPStore na wszystkich interfejsach sieciowych
RCE przez niebezpieczną deserializację w vllm MessageQueue.dequeue()
RCE przez niebezpieczną deserializację w vLLM z Mooncake (ZMQ/TCP)