CVE-2025-30165

Name of the Vulnerable Software and Affected Versions vllm versions 0.5.2 through 0.8.5.post1

Description The issue exists in the V0 engine of vLLM, which uses ZeroMQ for multi-node communication. When data is received on the SUB ZeroMQ socket, it is deserialized with pickle, allowing for potential code execution on a remote machine. This vulnerability can be exploited to compromise hosts in a vLLM deployment, especially if the primary host is already compromised. Attackers could also use other means, such as ARP cache poisoning, to redirect traffic and deliver a payload with arbitrary code. The V1 engine is not affected by this issue.

Recommendations For versions 0.5.2 through 0.8.5.post1, ensure the environment is on a secure network to minimize the risk of exploitation, as the maintainers have decided not to fix this issue due to its invasiveness and the V0 engine being off by default since v0.8.0. Consider using the V1 engine, which is not affected by this issue, for new deployments or migrations. As a temporary workaround, consider restricting access to the SUB ZeroMQ socket to prevent unauthorized connections.