CVE-2025-29783

Published Mar 19, 2025

Last updated 14 days ago

CVSS critical 9.0

Overview

Description
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. When vLLM is configured to use Mooncake, unsafe deserialization exposed directly over ZMQ/TCP on all network interfaces will allow attackers to execute remote code on distributed hosts. This is a remote code execution vulnerability impacting any deployments using Mooncake to distribute KV across distributed hosts. This vulnerability is fixed in 0.8.0.
Source
security-advisories@github.com
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
9
Impact score
6
Exploitability score
2.3
Vector string
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security-advisories@github.com
CWE-502

Social media

Hype score
Not currently trending

  1. 🚨 A critical RCE vulnerability (CVE-2025-29783) has been identified in vLLM's Mooncake integration, earning a CVSS score of 10. Users must update to vLLM 0.8.0 immediately. Full details & mitigation ⬇️ #CyberSecurity #RCE #AI #MachineLearning 🔗 https://t.co/UVRKxqlcrh

    @threatsbank

    25 Mar 2025

    9 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Lessons from CVE-2025-29783: 1) AI attack surface continues to expand with new features and infra 2) pickle is used in ML for more than models 3) dev moves fast; establish standards early to prevent security tech debt 4) traditional appsec tooling is still 🔥 (found w/ @semgrep)

    @josephtlucas

    23 Mar 2025

    706 Impressions

    1 Retweet

    13 Likes

    6 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2025-29783: Remote Code Execution in vLLM via Unsafe Deserialization in Mooncake https://t.co/6Zyf4WrPBf

    @_cvereports

    20 Mar 2025

    42 Impressions

    0 Retweets

    3 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. New post from https://t.co/uXvPWJyEiR (CVE-2025-29783 | vLLM up to 0.7.x ZMQ/TCP deserialization) has been published on https://t.co/Oo3QSqy2Tw

    @WolfgangSesin

    19 Mar 2025

    12 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. [CVE-2025-29783: CRITICAL] vLLM engine has a remote code execution vulnerability when using Mooncake for distribution. Upgrade to version 0.8.0 to fix this issue on distributed hosts. #cybersecurity#cybersecurity,#vulnerability https://t.co/OR4v579CnY https://t.co/3WkiRnxVwd

    @CveFindCom

    19 Mar 2025

    40 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. CVE-2025-29783 vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. When vLLM is configured to use Mooncake, unsafe deserialization exposed directly… https://t.co/N1vrX0EXO1

    @CVEnew

    19 Mar 2025

    254 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References