We use cookies to improve your experience on our site.
AVID-2026-R1708
Description
vLLM Allows Remote Code Execution via PyNcclPipe Communication Service (CVE-2025-47277)
Details
vLLM, an inference and serving engine for large language models (LLMs), has an issue in versions 0.6.5 through 0.8.4 that ONLY impacts environments using the PyNcclPipe KV cache transfer integration with the V0 engine. No other configurations are affected. vLLM supports the use of the PyNcclPipe class to establish a peer-to-peer communication domain for data transmission between distributed nodes. The GPU-side KV-Cache transmission is implemented through the PyNcclCommunicator class, while CPU-side control message passing is handled via the send_obj and recv_obj methods on the CPU side. The intention was that this interface should only be exposed to a private network using the IP address specified by the --kv-ip CLI parameter. The vLLM documentation covers how this must be limited to a secured network. The default and intentional behavior from PyTorch is that the TCPStore interface listens on ALL interfaces, regardless of what IP address is provided. The IP address given was only used as a client-side address to use. vLLM was fixed to use a workaround to force the TCPStore instance to bind its socket to a specified private interface. As of version 0.8.5, vLLM limits the TCPStore socket to the private interface as configured.
Reason for inclusion in AVID: This CVE describes a critical remote code execution vulnerability in vLLM’s PyNcclPipe-based KV cache transfer, exploitable over a network and affecting the AI model serving stack. It concerns an AI software component used to train/deploy AI models, i.e., a software supply-chain element in general-purpose AI systems. The report provides explicit vulnerability details, affected versions, remediation, and CVSS scoring, establishing clear security impact and sufficiency of evidence.
References
- NVD entry
- https://github.com/vllm-project/vllm/security/advisories/GHSA-hjq4-87xh-g4fv
- https://github.com/vllm-project/vllm/pull/15988
- https://github.com/vllm-project/vllm/commit/0d6e187e88874c39cda7409cf673f9e6546893e7
- https://docs.vllm.ai/en/latest/deployment/security.html
Affected or Relevant Artifacts
- Developer: vllm-project
- Deployer: vllm-project
- Artifact Details:
| Type | Name |
|---|---|
| System | vllm |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.1 |
| Vector String | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Base Score | 9.8 |
| Base Severity | 🔴 Critical |
| Attack Vector | NETWORK |
| Attack Complexity | 🟢 Low |
| Privileges Required | NONE |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | 🔴 High |
| Integrity Impact | 🔴 High |
| Availability Impact | 🔴 High |
CWE
| ID | Description |
|---|---|
| CWE-502 | CWE-502: Deserialization of Untrusted Data |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2025-05-20
- Version: 0.3.3
- AVID Entry