cbcvebase.
CVE-2025-47277
published 2025-05-20

CVE-2025-47277: vLLM, an inference and serving engine for large language models (LLMs), has an issue in versions 0.6.5 through 0.8.4 that ONLY impacts environments using the…

PriorityP258critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.96%
57.0th percentile
vLLM, an inference and serving engine for large language models (LLMs), has an issue in versions 0.6.5 through 0.8.4 that ONLY impacts environments using the `PyNcclPipe` KV cache transfer integration with the V0 engine. No other configurations are affected. vLLM supports the use of the `PyNcclPipe` class to establish a peer-to-peer communication domain for data transmission between distributed nodes. The GPU-side KV-Cache transmission is implemented through the `PyNcclCommunicator` class, while CPU-side control message passing is handled via the `send_obj` and `recv_obj` methods on the CPU side.​ The intention was that this interface should only be exposed to a private network using the IP address specified by the `--kv-ip` CLI parameter. The vLLM documentation covers how this must be limited to a secured network. The default and intentional behavior from PyTorch is that the `TCPStore` interface listens on ALL interfaces, regardless of what IP address is provided. The IP address given was only used as a client-side address to use. vLLM was fixed to use a workaround to force the `TCPStore` instance to bind its socket to a specified private interface. As of version 0.8.5, vLLM limits the `TCPStore` socket to the private interface as configured.

Affected

3 ranges
VendorProductVersion rangeFixed in
vllm-projectvllm
vllmvllm>= 0.6.5 < 0.8.50.8.5
vllmvllm>= 0.6.5 < 0.8.50.8.5

Detection & IOCsextracted from sources · hover to see the quote

command--kv-ip
  • Monitor for vLLM's TCPStore interface listening on ALL network interfaces (0.0.0.0) rather than a restricted private interface, which indicates the vulnerable configuration is active (versions 0.6.5–0.8.4 with PyNcclPipe and V0 engine).
  • Alert on use of pickle.loads on data received via the TCPStore/PyNcclPipe send_obj/recv_obj methods from untrusted network sources, as this is the RCE vector.
  • Detect vLLM processes (V0 engine with PyNcclPipe KV cache transfer) where the TCPStore socket is bound to a public/non-private interface, indicating misconfiguration exploitable by CVE-2025-47277.
  • Flag CPU-side control message passing via `send_obj` and `recv_obj` methods on the PyNcclPipe class when originating from unexpected or external network sources.
  • ·This vulnerability ONLY affects environments using the PyNcclPipe KV cache transfer integration with the V0 engine in vLLM versions 0.6.5 through 0.8.4. All other configurations are unaffected.
  • ·The fix in vLLM 0.8.5 forces TCPStore to bind only to the private interface specified via --kv-ip, rather than all interfaces. Upgrading to 0.8.5+ is the remediation.
  • ·Red Hat products are not affected by default due to vLLM nodes being restricted to an isolated network, but the vulnerability becomes relevant if customers alter network segmentation configurations.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.