CVE-2025-29783
CRITICAL9.0EPSS 2.1%vLLM Allows Remote Code Execution via Mooncake Integration
描述
### Summary When vLLM is configured to use Mooncake, unsafe deserialization exposed directly over ZMQ/TCP will allow attackers to execute remote code on distributed hosts. ### Details 1. Pickle deserialization vulnerabilities are [well documented](https://docs.python.org/3/library/pickle.html). 2. The [mooncake pipe](https://github.com/vllm-project/vllm/blob/9bebc9512f9340e94579b9bd69cfdc452c4d5bb0/vllm/distributed/kv_transfer/kv_pipe/mooncake_pipe.py#L206) is exposed over the network (by design to enable disaggregated prefilling across distributed environments) using ZMQ over TCP, greatly increasing exploitability. ~~Further, the mooncake integration opens these sockets listening on all interfaces on the host, meaning it can not be configured to only use a private, trusted network.~~ Only `sender_socket` and `receiver_ack` are allowed to be accessed publicly, while the data actually decompressed by `pickle.loads()` comes from [recv_bytes](https://github.com/vllm-project/vllm/blob/9bebc9512f9340e94579b9bd69cfdc452c4d5bb0/vllm/distributed/kv_transfer/kv_pipe/mooncake_pipe.py#L257). Its interface is defined as `self.receiver_socket.connect(f\"tcp://{d_host}:{d_rank_offset + 1}\")`, where `d_host` is `decode_host`, a locally defined address 192.168.0.139,from mooncake.json (https://github.com/kvcache-ai/Mooncake/blob/main/doc/en/vllm-integration-v0.2.md?plain=1#L36). 3. The root problem is [`recv_tensor()`](https://github.com/vllm-project/vllm/blob/9bebc9512f9340e94579b9bd69cfdc452c4d5bb0/vllm/distributed/kv_transfer/kv_pipe/mooncake_pipe.py#L257) calls [`_recv_impl`](https://github.com/vllm-project/vllm/blob/9bebc9512f9340e94579b9bd69cfdc452c4d5bb0/vllm/distributed/kv_transfer/kv_pipe/mooncake_pipe.py#L244) which passes the raw network bytes to `pickle.loads()`. Additionally, it does not appear that there are any controls (network, authentication, etc) to prevent arbitrary users from sending this payload to the affected service. ### Impact This is a remote code execution vulnerability impacting any deployments using Mooncake to distribute KV across distributed hosts. ### Remediation This issue is resolved by https://github.com/vllm-project/vllm/pull/14228
受影響套件(2)
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.0 | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-29783
- PATCHhttps://github.com/vllm-project/vllm
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/vllm/PYSEC-2025-63.yaml
- WEBhttps://github.com/vllm-project/vllm/commit/288ca110f68d23909728627d3100e5a8db820aa2
- WEBhttps://github.com/vllm-project/vllm/pull/14228
- WEBhttps://github.com/vllm-project/vllm/security/advisories/GHSA-x3m8-f7g5-qhm7