CVE-2025-30202

Name of the Vulnerable Software and Affected Versions vLLM versions 0.5.2 through 0.8.5

Description The issue affects vLLM, a high-throughput and memory-efficient inference and serving engine for LLMs. In a multi-node vLLM deployment, vLLM uses ZeroMQ for some multi-node communication purposes, opening an XPUB ZeroMQ socket and binding it to all interfaces. This allows any client with network access to connect to the socket, unless its port is blocked by a firewall, and receive internal vLLM state information. Although this data is not useful to an attacker, connecting to the socket multiple times without reading the published data can cause a denial of service by slowing down or potentially blocking the publisher.

Recommendations For versions 0.5.2 through 0.8.5, update to version 0.8.5 to resolve the issue. As a temporary workaround, consider blocking the port used by the XPUB ZeroMQ socket to prevent unauthorized access. Restrict access to the ZeroMQ socket to minimize the risk of exploitation.