10

CVE-2025-32444

Exploit

EPSS 2.27%
Veröffentlicht 30.04.2025 00:25:00
Zuletzt bearbeitet 28.05.2025 19:12:58
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Versions starting from 0.6.5 and prior to 0.8.5, having vLLM integration with mooncake, are vulnerable to remote code execution due to using pickle based serialization over unsecured ZeroMQ sockets. The vulnerable sockets were set to listen on all network interfaces, increasing the likelihood that an attacker is able to reach the vulnerable ZeroMQ sockets to carry out an attack. vLLM instances that do not make use of the mooncake integration are not vulnerable. This issue has been patched in version 0.8.5.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Vllm ≫ Vllm Version >= 0.6.5 < 0.8.5

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	2.27%	0.841

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	10	3.9	6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

https://github.com/vllm-project/vllm/security/advisories/GHSA-x3m8-f7g5-qhm7

Not Applicable

https://github.com/vllm-project/vllm/security/advisories/GHSA-hj4w-hm2g-p6w5

Vendor Advisory

Exploit

https://github.com/vllm-project/vllm/commit/a5450f11c95847cf51a17207af9a3ca5ab569b2c

Patch

https://github.com/vllm-project/vllm/blob/32b14baf8a1f7195ca09484de3008063569b43c5/vllm/distributed/kv_transfer/kv_pipe/mooncake_pipe.py#L179

Product

https://nvd.nist.gov/vuln/detail/CVE-2025-32444

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-32444

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-32444

EUVD