CVE-2025-29783
published 2025-03-19CVE-2025-29783: vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. When vLLM is configured to use Mooncake, unsafe deserialization exposed…
PriorityP356critical9CVSS 3.1
AVAACLPRLUINSCCHIHAH
EPSS
0.82%
52.6th percentile
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. When vLLM is configured to use Mooncake, unsafe deserialization exposed directly over ZMQ/TCP on all network interfaces will allow attackers to execute remote code on distributed hosts. This is a remote code execution vulnerability impacting any deployments using Mooncake to distribute KV across distributed hosts. This vulnerability is fixed in 0.8.0.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vllm-project | vllm | — | — |
| vllm | vllm | >= 0 < 288ca110f68d23909728627d3100e5a8db820aa2 | 288ca110f68d23909728627d3100e5a8db820aa2 |
| vllm | vllm | >= 0.6.5 < 0.8.0 | 0.8.0 |
| vllm | vllm | >= 0.6.5 < 0.8.0 | 0.8.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unsafe deserialization traffic over ZMQ/TCP exposed on all network interfaces in vLLM Mooncake-enabled deployments ↗
- →Flag vLLM deployments configured to use Mooncake for KV distribution across hosts as high-risk for RCE via deserialization ↗
- →Monitor for unexpected inbound ZMQ/TCP connections to vLLM distributed hosts, especially from untrusted network sources, as the attack surface is all network interfaces ↗
- ·Vulnerability only affects vLLM deployments where Mooncake integration is enabled for KV distribution; deployments without Mooncake are not affected ↗
- ·RHEL-AI packages are confirmed not affected as Mooncake is not included in that distribution ↗
- ·The vulnerability is fixed in vLLM version 0.8.0; unpatched versions below this are vulnerable when Mooncake is in use ↗
- ·A possible mitigation short of patching is making fields transient to protect them from deserialization ↗
CVSS provenance
nvdv3.19.0CRITICALCVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vendor_redhat9.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
vLLM Allows Remote Code Execution via Mooncake Integration
osv·2025-03-19
CVE-2025-29783 [CRITICAL] vLLM Allows Remote Code Execution via Mooncake Integration
vLLM Allows Remote Code Execution via Mooncake Integration
### Summary
When vLLM is configured to use Mooncake, unsafe deserialization exposed directly over ZMQ/TCP will allow attackers to execute remote code on distributed hosts.
### Details
1. Pickle deserialization vulnerabilities are [well documented](https://docs.python.org/3/library/pickle.html).
2. The [mooncake pipe](https://github.com/vllm-project/vllm/blob/9bebc9512f9340e94579b9bd69cfdc452c4d5bb0/vllm/distributed/kv_transfer/kv_pipe/mooncake_pipe.py#L206) is exposed over the network (by design to enable disaggregated prefilling across distributed environments) using ZMQ over TCP, greatly increasing exploitability. ~~Further, the mooncake integration opens these sockets listening on all interfaces on the host, meaning it can not
OSV
CVE-2025-29783: vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs
osv·2025-03-19
CVE-2025-29783 CVE-2025-29783: vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. When vLLM is configured to use Mooncake, unsafe deserialization exposed directly over ZMQ/TCP on all network interfaces will allow attackers to execute remote code on distributed hosts. This is a remote code execution vulnerability impacting any deployments using Mooncake to distribute KV across distributed hosts. This vulnerability is fixed in 0.8.0.
GHSA
vLLM Allows Remote Code Execution via Mooncake Integration
ghsa·2025-03-19
CVE-2025-29783 [CRITICAL] CWE-502 vLLM Allows Remote Code Execution via Mooncake Integration
vLLM Allows Remote Code Execution via Mooncake Integration
### Summary
When vLLM is configured to use Mooncake, unsafe deserialization exposed directly over ZMQ/TCP will allow attackers to execute remote code on distributed hosts.
### Details
1. Pickle deserialization vulnerabilities are [well documented](https://docs.python.org/3/library/pickle.html).
2. The [mooncake pipe](https://github.com/vllm-project/vllm/blob/9bebc9512f9340e94579b9bd69cfdc452c4d5bb0/vllm/distributed/kv_transfer/kv_pipe/mooncake_pipe.py#L206) is exposed over the network (by design to enable disaggregated prefilling across distributed environments) using ZMQ over TCP, greatly increasing exploitability. ~~Further, the mooncake integration opens these sockets listening on all interfaces on the host, meaning it can not
Red Hat
vllm: vLLM Allows Remote Code Execution via Mooncake Integration
vendor_redhat·2025-03-19·CVSS 9.0
CVE-2025-29783 [CRITICAL] CWE-502 vllm: vLLM Allows Remote Code Execution via Mooncake Integration
vllm: vLLM Allows Remote Code Execution via Mooncake Integration
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. When vLLM is configured to use Mooncake, unsafe deserialization exposed directly over ZMQ/TCP on all network interfaces will allow attackers to execute remote code on distributed hosts. This is a remote code execution vulnerability impacting any deployments using Mooncake to distribute KV across distributed hosts. This vulnerability is fixed in 0.8.0.
A flaw was found in vLLM. In deployments where vLLM is configured to use Mooncake to distribute KV across hosts, this vulnerability allows remote code execution via unsafe deserialization exposed directly over ZMQ/TCP on all network interfaces.
Statement: RHEL-AI is not affected as it does n
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-03-19
Published