Cyber Resilience

CVE-2025-29783

Critical

Published: 19 March 2025

Published
19 March 2025
Modified
01 July 2025
KEV Added
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0212 84.5th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-29783 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Vllm Vllm. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 15.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as NLP and Transformers; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs that becomes vulnerable when configured to use Mooncake for distributing KV caches across hosts. The flaw stems from unsafe deserialization of data received directly over ZMQ/TCP on all network interfaces, classified under CWE-502, and enables remote code execution on the affected distributed hosts. The issue impacts any deployment relying on Mooncake and carries a CVSS 3.1 score of 9.0; it was fixed in version 0.8.0.

An attacker with low-privileged access on an adjacent network segment can send crafted serialized payloads over the exposed ZMQ/TCP channel. Successful exploitation grants the ability to execute arbitrary code on the remote hosts participating in the Mooncake-based KV distribution, potentially compromising the confidentiality, integrity, and availability of the LLM serving infrastructure.

The referenced GitHub security advisory, pull request, and commit indicate that the fix is delivered by upgrading to vLLM 0.8.0, which removes the unsafe deserialization path for Mooncake traffic.

The component is used in LLM inference environments, making the vulnerability relevant to AI/ML deployments that rely on distributed KV caching.

EU & UK References

Vulnerability details

vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. When vLLM is configured to use Mooncake, unsafe deserialization exposed directly over ZMQ/TCP on all network interfaces will allow attackers to execute remote code on distributed hosts. This…

more

is a remote code execution vulnerability impacting any deployments using Mooncake to distribute KV across distributed hosts. This vulnerability is fixed in 0.8.0.

CWE(s)

AI Security AnalysisAI

AI Category
NLP and Transformers
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: llms, vllm

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

The CVE describes a network-exposed unsafe deserialization vulnerability in vLLM (via ZMQ/TCP on all interfaces) that directly enables remote code execution with adjacent network access, mapping to exploitation of remote services for code execution on the target hosts.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-11041Same product: Vllm Vllm
CVE-2025-24357Same product: Vllm Vllm
CVE-2025-62164Same product: Vllm Vllm
CVE-2025-66448Same product: Vllm Vllm
CVE-2026-22807Same product: Vllm Vllm
CVE-2026-22773Same product: Vllm Vllm
CVE-2026-25960Same product: Vllm Vllm
CVE-2026-22778Same product: Vllm Vllm
CVE-2026-27893Same product: Vllm Vllm
CVE-2026-24779Same product: Vllm Vllm

Affected Assets

vllm
vllm
0.6.5 — 0.8.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation requires timely patching of the unsafe deserialization vulnerability fixed in vLLM 0.8.0, directly preventing RCE exploitation.

prevent

Information input validation at system entry points detects and rejects untrusted deserialized data over ZMQ/TCP, blocking CWE-502 attacks.

prevent

Boundary protection monitors and controls network communications to block unauthorized adjacent access to the exposed ZMQ/TCP interfaces.

References