CVE-2025-29783

Name of the Vulnerable Software and Affected Versions vLLM versions prior to 0.8.0

Description The issue is a remote code execution vulnerability that occurs when vLLM is configured to use Mooncake. This vulnerability allows attackers to execute remote code on distributed hosts due to unsafe deserialization exposed directly over ZMQ/TCP on all network interfaces. The vulnerability impacts any deployments using Mooncake to distribute KV across distributed hosts.

Recommendations To resolve the issue, upgrade to version 0.8.0 or later. As a temporary workaround, consider restricting access to the vulnerable Mooncake integration until a patch is available. Avoid using the pickle.loads() function with untrusted input, and ensure that only trusted sources can send data to the affected service.