CVE-2025-30202 — Allocation of Resources Without Limits or Throttling in Vllm

CWE-770 — Allocation of Resources Without Limits or Throttling CWE-200 — Sensitive Information Exposure CWE-94 — Code Injection5 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.4%

top 36.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Vllm Vllm-project Vllm Msrc Azl3 Emacs 29.1-1 ON Azure Linux 3.0 +7 more

Timeline

Latest updateApr 29

PublishedApr 30

Description

vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Versions starting from 0.5.2 and prior to 0.8.5 are vulnerable to denial of service and data exposure via ZeroMQ on multi-node vLLM deployment. In a multi-node vLLM deployment, vLLM uses ZeroMQ for some multi-node communication purposes. The primary vLLM host opens an XPUB ZeroMQ socket and binds it to ALL interfaces. While the socket is always opened for a multi-node deployment, it is only used when doing tens…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages11 packages

▶NVDvllm/vllm0.5.2 — 0.8.5

▶PyPIvllm/vllm0.5.2 — 0.8.5

▶CVEListV5vllm-project/vllm>= 0.5.2, < 0.8.5

▶msrcmsrc/azure_linux_3.0_arm

▶msrcmsrc/azure_linux_3.0_x64

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Data exposure via ZeroMQ on multi-node vLLM deployment↗2025-04-29

▶

OSV

Data exposure via ZeroMQ on multi-node vLLM deployment↗2025-04-29

▶

📋Vendor Advisories

Red Hat

vllm: Data Exposure via ZeroMQ on Multi-Node vLLM Deployment↗2025-04-29

▶

Microsoft

In Emacs before 29.3 arbitrary Lisp code is evaluated as part of turning on Org mode. This affects Org Mode before 9.6.23.↗2024-03-12

▶