9.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-29783

GHSA ID

GHSA-x3m8-f7g5-qhm7

EPSS Score

0.748%

CWE

CWE-502

Published

3/19/2025

Updated

3/22/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-29783

CVE-2025-29783: vLLM Allows Remote Code Execution via Mooncake Integration

Summary

When vLLM is configured to use Mooncake, unsafe deserialization exposed directly over ZMQ/TCP will allow attackers to execute remote code on distributed hosts.

Details

Pickle deserialization vulnerabilities are well documented.
The mooncake pipe is exposed over the network (by design to enable disaggregated prefilling across distributed environments) using ZMQ over TCP, greatly increasing exploitability. ~~Further, the mooncake integration opens these sockets listening on all interfaces on the host, meaning it can not be configured to only use a private, trusted network.~~

Only sender_socket and receiver_ack are allowed to be accessed publicly, while the data actually decompressed by pickle.loads() comes from recv_bytes. Its interface is defined as self.receiver_socket.connect(f\"tcp://{d_host}:{d_rank_offset + 1}\"), where d_host is decode_host, a locally defined address 192.168.0.139,from mooncake.json (https://github.com/kvcache-ai/Mooncake/blob/main/doc/en/vllm-integration-v0.2.md?plain=1#L36).

The root problem is recv_tensor() calls _recv_impl which passes the raw network bytes to pickle.loads(). Additionally, it does not appear that there are any controls (network, authentication, etc) to prevent arbitrary users from sending this payload to the affected service.

Impact

This is a remote code execution vulnerability impacting any deployments using Mooncake to distribute KV across distributed hosts.

Remediation

This issue is resolved by https://github.com/vllm-project/vllm/pull/14228

(GitHub Advisory)

9.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-29783

GHSA ID

GHSA-x3m8-f7g5-qhm7

EPSS Score

0.748%

CWE

CWE-502

Published

3/19/2025

Updated

3/22/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
vllm	pip

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unsafe pickle deserialization in Mooncake's network communication. The _recv_impl function directly passes raw network bytes to pickle.loads(), which is a well-known RCE vector (CWE-502). The _send_impl function's use of pickle.dumps() enables crafting malicious payloads. Both functions operate over ZMQ/TCP with insufficient network controls, as evidenced by the patch replacing pickle with safetensors in these exact locations.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry W**n vLLM is *on*i*ur** to us* Moon**k*, uns*** **s*ri*liz*tion *xpos** *ir**tly ov*r ZMQ/T*P will *llow *tt**k*rs to *x**ut* r*mot* *o** on *istri*ut** *osts. ### **t*ils *. Pi*kl* **s*ri*liz*tion vuln*r**iliti*s *r* [w*ll *o*um*nt**](*

Reasoning

T** vuln*r**ility st*ms *rom uns*** pi*kl* **s*ri*liz*tion in Moon**k*'s n*twork *ommuni**tion. T** _r**v_impl *un*tion *ir**tly p*ss*s r*w n*twork *yt*s to pi*kl*.lo**s(), w*i** is * w*ll-known R** v**tor (*W*-***). T** _s*n*_impl *un*tion's us* o*

9.1

Basic Information

Concerned about an active attack path?

CVE-2025-29783: vLLM Allows Remote Code Execution via Mooncake Integration

Summary

Details

Impact

Remediation

9.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI