CRITICAL🇵🇱 Wersja polska

CVE-2025-47277

CVSS 9.8v3.1pub. 2025-05-20upd. 2025-08-13

vLLM, an inference and serving engine for large language models (LLMs), has an issue in versions 0.6.5 through 0.8.4 that ONLY impacts environments using the `PyNcclPipe` KV cache transfer integration with the V0 engine. No other configurations are affected. vLLM supports the use of the `PyNcclPipe` class to establish a peer-to-peer communication domain for data transmission between distributed nodes. The GPU-side KV-Cache transmission is implemented through the `PyNcclCommunicator` class, while CPU-side control message passing is handled via the `send_obj` and `recv_obj` methods on the CPU side.​ The intention was that this interface should only be exposed to a private network using the IP address specified by the `--kv-ip` CLI parameter. The vLLM documentation covers how this must be limited to a secured network. The default and intentional behavior from PyTorch is that the `TCPStore` interface listens on ALL interfaces, regardless of what IP address is provided. The IP address given was only used as a client-side address to use. vLLM was fixed to use a workaround to force the `TCPStore` instance to bind its socket to a specified private interface. As of version 0.8.5, vLLM limits the `TCPStore` socket to the private interface as configured.

🤖 AI Analysis
How it works

The CPU control message mechanism in the `PyNcclPipe` class uses `send_obj` and `recv_obj` methods, which rely on the `TCPStore` interface from the PyTorch library. According to PyTorch's default behavior, `TCPStore` binds the socket to all available network interfaces, ignoring the IP address passed via the `--kv-ip` parameter. As a result, the interface intended only for private network access was publicly exposed. The vulnerability is classified as CWE-502 (deserialization of untrusted data), meaning an attacker can submit a crafted object that will be deserialized on the server side.

Impact

An unauthenticated remote attacker can submit a malicious serialized payload to the `TCPStore` interface, which may result in arbitrary code execution (RCE) on the inference node, and consequently full system compromise, breach of data confidentiality and integrity, and service unavailability.

Mitigation & patch

vLLM should be updated to version 0.8.5 or later, in which `TCPStore` has been fixed to bind the socket exclusively to the specified private network interface. Until the update is applied, inference nodes must be absolutely isolated at the network level (firewall, segmentation) to ensure the `TCPStore` interface is not accessible from untrusted networks, in accordance with vLLM documentation recommendations for secure deployment.

Who is affected

vLLM versions 0.6.5 to 0.8.4 — exclusively in configurations using `PyNcclPipe` integration for KV cache transfer with the V0 engine. Other configurations are not vulnerable.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Vllm

    APP
    Vllm
    0.6.5 – 0.8.5 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Deserialization
CWE
References

Related vulnerabilities

CVE-2026-48746CRITICAL9.1PL ✓ten sam produkt

Pominięcie uwierzytelnienia w vLLM — bypass klucza API OpenAI

CVE-2026-22778CRITICAL9.8PL ✓ten sam produkt

vLLM: wyciek adresu sterty umożliwiający RCE przez endpoint multimodalny

CVE-2025-32444CRITICAL10.0PL ✓ten sam produkt

RCE w vLLM poprzez deserializację pickle na niezabezpieczonych gniazdach ZeroMQ

CVE-2024-11041CRITICAL9.8PL ✓ten sam produkt

RCE przez niebezpieczną deserializację w vllm MessageQueue.dequeue()

CVE-2025-29783CRITICAL9.0PL ✓ten sam produkt

RCE przez niebezpieczną deserializację w vLLM z Mooncake (ZMQ/TCP)