CVE-2025-29783 CRITICAL

CVE-2025-29783: vLLM Allows Remote Code Execution via Mooncake Integration

Vendor Vllm-Project
Product vllm
Weakness CWE-502 · Unsafe deserialization
Published March 19, 2025
Last update March 22, 2025

CVSS base score

9.1/10
Attack vector Adjacent
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. When vLLM is configured to use Mooncake, unsafe deserialization exposed directly over ZMQ/TCP on all network interfaces will allow attackers to execute remote code on distributed hosts. This is a remote code execution vulnerability impacting any deployments using Mooncake to distribute KV across distributed hosts. This vulnerability is fixed in 0.8.0.

Key dates

02Disclosure timeline

March 19, 2025 CVE published
March 22, 2025 Record updated