CVE-2025-32444
Published: 30 April 2025
Summary
CVE-2025-32444 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Vllm Vllm. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 9.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as NLP and Transformers; in the Supply Chain and Deployment risk domain.
Deeper analysis
vLLM is a high-throughput inference and serving engine for large language models. CVE-2025-32444 affects versions 0.6.5 through 0.8.4 that enable the optional mooncake integration. The flaw stems from the use of Python pickle serialization over unauthenticated ZeroMQ sockets that bind to all network interfaces, allowing deserialization of untrusted data (CWE-502) and resulting in a CVSS 10.0 remote code execution vector.
An attacker reachable to the ZeroMQ endpoints can send a malicious pickle payload and execute arbitrary code on the vLLM host without authentication or user interaction. Only deployments that activate mooncake are exposed; instances that do not use this integration remain unaffected.
The project has released version 0.8.5, which disables the vulnerable code path. Remediation guidance and the fixing commit are documented in the GitHub Security Advisories GHSA-hj4w-hm2g-p6w5 and GHSA-x3m8-f7g5-qhm7, along with the associated pull request that removes the insecure socket configuration.
The EPSS score rose from a low baseline to a recorded peak of 0.0776, indicating emerging exploitation interest after disclosure and suggesting the issue merits renewed monitoring in LLM-serving environments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-12670
Vulnerability details
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Versions starting from 0.6.5 and prior to 0.8.5, having vLLM integration with mooncake, are vulnerable to remote code execution due to using pickle based serialization over unsecured ZeroMQ…
more
sockets. The vulnerable sockets were set to listen on all network interfaces, increasing the likelihood that an attacker is able to reach the vulnerable ZeroMQ sockets to carry out an attack. vLLM instances that do not make use of the mooncake integration are not vulnerable. This issue has been patched in version 0.8.5.
- CWE(s)
AI Security AnalysisAI
- AI Category
- NLP and Transformers
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: llms, vllm
Related Threats
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.
Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses.
Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.
Validates or rejects untrusted serialized data before deserialization occurs.
Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries.
Integrity verification of serialized information can detect tampering before deserialization occurs.
Provenance of associated data allows detection of untrusted sources before deserialization or processing occurs.