Vulnerability Description
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. When vLLM is configured to use Mooncake, unsafe deserialization exposed directly over ZMQ/TCP on all network interfaces will allow attackers to execute remote code on distributed hosts. This is a remote code execution vulnerability impacting any deployments using Mooncake to distribute KV across distributed hosts. This vulnerability is fixed in 0.8.0.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vllm | Vllm | >= 0.6.5, < 0.8.0 |
Related Weaknesses (CWE)
References
- https://github.com/vllm-project/vllm/commit/288ca110f68d23909728627d3100e5a8db82Patch
- https://github.com/vllm-project/vllm/pull/14228Issue TrackingVendor Advisory
- https://github.com/vllm-project/vllm/security/advisories/GHSA-x3m8-f7g5-qhm7Vendor Advisory
FAQ
What is CVE-2025-29783?
CVE-2025-29783 is a vulnerability with a CVSS score of 9.0 (CRITICAL). vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. When vLLM is configured to use Mooncake, unsafe deserialization exposed directly over ZMQ/TCP on all network inter...
How severe is CVE-2025-29783?
CVE-2025-29783 has been rated CRITICAL with a CVSS base score of 9.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-29783?
Check the references section above for vendor advisories and patch information. Affected products include: Vllm Vllm.