Listen to this Post
How the CVE Works
CVE-2025-29783 affects vLLM when configured with Mooncake for distributed key-value (KV) storage. The vulnerability arises from unsafe deserialization of data transmitted over ZMQ/TCP, exposed on all network interfaces. Attackers can exploit this flaw by sending maliciously crafted serialized objects, leading to remote code execution (RCE) on distributed hosts. The lack of proper input validation in Mooncake’s deserialization process allows arbitrary code execution under the service’s privileges, impacting clusters using vLLM for LLM inference.
DailyCVE Form
Platform: vLLM
Version: <0.8.0
Vulnerability: RCE
Severity: Critical
Date: 2025-03-19
Prediction: Patch expected by 2025-08-15
What Undercode Say
Analytics:
nmap -p 5555 --script zmq-exploit <target> python3 mooncake_exploit.py --host <IP>
Exploit:
- Craft malicious serialized payload.
- Send via ZMQ/TCP to vLLM-Mooncake endpoint.
- Trigger deserialization for RCE.
Protection from this CVE:
- Upgrade to vLLM 0.8.0+.
- Restrict ZMQ/TCP to trusted interfaces.
- Implement serialization whitelisting.
Impact:
- Full host compromise.
- LLM inference hijacking.
- Data exfiltration.
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
