Omjeki

**Name of the Vulnerable Software and Affected Versions** vLLM versions 0.6.5 through 0.8.4 **Description** vLLM, an inference and serving engine for large language models (LLMs), contains a remote code execution issue. This impacts environments utilizing the `PyNcclPipe` KV cache transfer integration with the V0 engine. The issue stems from the use of `pickle.loads` to process client-provided data within the `PyNcclPipe` implementation, creating an unsafe deserialization vulnerability. An attacker can exploit this by sending malicious serialized data to gain server control privileges. The `PyNcclPipe` class is used to establish peer-to-peer communication for data transmission between distributed nodes, and the GPU-side KV-Cache transmission is implemented through the `PyNcclCommunicator` class. CPU-side control message passing is handled via the `send obj` and `recv obj` methods. The intended behavior was for this interface to be exposed only to a private network using the IP address specified by the `--kv-ip` CLI parameter. The default behavior of PyTorch allows the `TCPStore` interface to listen on all interfaces, regardless of the provided IP address. **Recommendations** Update to vLLM version 0.8.5 or later to benefit from the fix that limits the `TCPStore` socket to the configured private interface.