CVE-2025-47277

vLLM Allows Remote Code Execution via PyNcclPipe Communication Service

CVSS 9.8 CRITICALEPSS 0.9%CWE-502

In short

vLLM versions 0.6.5-0.8.4 using PyNcclPipe for distributed GPU processing accept and execute untrusted code from the network because their communication service listens on all network interfaces instead of just private ones, allowing attackers to run arbitrary code on the server.

Technical detail

CVE-2025-47277 exploits improper network binding in vLLM's PyNcclPipe KV cache transfer mechanism (CWE-502: deserialization of untrusted data). The TCPStore interface, intended to listen only on a specified private interface via `--kv-ip`, defaults to binding all interfaces due to PyTorch's behavior. An attacker on the network can send malicious serialized objects to the exposed communication service, achieving remote code execution in the context of the vLLM process. Mitigation available in version 0.8.5+.

Summary generated and translated by AI from the official description.

vLLM, an inference and serving engine for large language models (LLMs), has an issue in versions 0.6.5 through 0.8.4 that ONLY impacts environments using the `PyNcclPipe` KV cache transfer integration with the V0 engine. No other configurations are affected. vLLM supports the use of the `PyNcclPipe` class to establish a peer-to-peer communication domain for data transmission between distributed nodes. The GPU-side KV-Cache transmission is implemented through the `PyNcclCommunicator` class, while CPU-side control message passing is handled via the `send_obj` and `recv_obj` methods on the CPU side. The intention was that this interface should only be exposed to a private network using the IP address specified by the `--kv-ip` CLI parameter. The vLLM documentation covers how this must be limited to a secured network. The default and intentional behavior from PyTorch is that the `TCPStore` interface listens on ALL interfaces, regardless of what IP address is provided. The IP address given was only used as a client-side address to use. vLLM was fixed to use a workaround to force the `TCPStore` instance to bind its socket to a specified private interface. As of version 0.8.5, vLLM limits the `TCPStore` socket to the private interface as configured.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

vllm-project · vllm

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://docs.vllm.ai/en/latest/deployment/security.html https://github.com/vllm-project/vllm/commit/0d6e187e88874c39cda7409cf673f9e6546893e7 https://github.com/vllm-project/vllm/pull/15988 https://github.com/vllm-project/vllm/security/advisories/GHSA-hjq4-87xh-g4fv