CVE-2025-47277

Name of the Vulnerable Software and Affected Versions vLLM versions 0.6.5 through 0.8.4

Description vLLM, an inference and serving engine for large language models (LLMs), contains a remote code execution issue. This impacts environments utilizing the PyNcclPipe KV cache transfer integration with the V0 engine. The issue stems from the use of pickle.loads to process client-provided data within the PyNcclPipe implementation, creating an unsafe deserialization vulnerability. An attacker can exploit this by sending malicious serialized data to gain server control privileges. The PyNcclPipe class is used to establish peer-to-peer communication for data transmission between distributed nodes, and the GPU-side KV-Cache transmission is implemented through the PyNcclCommunicator class. CPU-side control message passing is handled via the send obj and recv obj methods. The intended behavior was for this interface to be exposed only to a private network using the IP address specified by the --kv-ip CLI parameter. The default behavior of PyTorch allows the TCPStore interface to listen on all interfaces, regardless of the provided IP address.

Recommendations Update to vLLM version 0.8.5 or later to benefit from the fix that limits the TCPStore socket to the configured private interface.