csaf_redhat - rhsa-2025:10404

RHSA-2025:10404

Vulnerability from csaf_redhat - Published: 2025-07-07 10:29 - Updated: 2025-12-18 23:32

Summary

Red Hat Security Advisory: Red Hat AI Inference Server 3.0 (CUDA)

Notes

Topic

Red Hat AI Inference Server 3.0 (CUDA) is now available.

Details

Red Hat® AI Inference Server

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Red Hat AI Inference Server 3.0 (CUDA) is now available.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat\u00ae AI Inference Server",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2025:10404",
        "url": "https://access.redhat.com/errata/RHSA-2025:10404"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/cve-2025-47277",
        "url": "https://access.redhat.com/security/cve/cve-2025-47277"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/",
        "url": "https://access.redhat.com/security/updates/classification/"
      },
      {
        "category": "external",
        "summary": "https://www.redhat.com/en/products/ai/inference-server",
        "url": "https://www.redhat.com/en/products/ai/inference-server"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_10404.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat AI Inference Server 3.0 (CUDA)",
    "tracking": {
      "current_release_date": "2025-12-18T23:32:19+00:00",
      "generator": {
        "date": "2025-12-18T23:32:19+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.14"
        }
      },
      "id": "RHSA-2025:10404",
      "initial_release_date": "2025-07-07T10:29:00+00:00",
      "revision_history": [
        {
          "date": "2025-07-07T10:29:00+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2025-12-18T18:31:00+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-12-18T23:32:19+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat AI Inference Server 3.1",
                "product": {
                  "name": "Red Hat AI Inference Server 3.1",
                  "product_id": "Red Hat AI Inference Server 3.1",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:ai_inference_server:3.1::el9"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat AI Inference Server"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/rhaiis/vllm-cuda-rhel9@sha256:771bc45e13c5294baa27ea8918d2ecfe7ce89d64a36344a7ee8e70b2b8254998_amd64",
                "product": {
                  "name": "registry.redhat.io/rhaiis/vllm-cuda-rhel9@sha256:771bc45e13c5294baa27ea8918d2ecfe7ce89d64a36344a7ee8e70b2b8254998_amd64",
                  "product_id": "registry.redhat.io/rhaiis/vllm-cuda-rhel9@sha256:771bc45e13c5294baa27ea8918d2ecfe7ce89d64a36344a7ee8e70b2b8254998_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/vllm-cuda-rhel9@sha256%3A771bc45e13c5294baa27ea8918d2ecfe7ce89d64a36344a7ee8e70b2b8254998?arch=amd64\u0026repository_url=registry.redhat.io/rhaiis\u0026tag=3.1.0-1751522544"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/rhaiis/vllm-cuda-rhel9@sha256:64a80edcb6ff725047d8154404e95b425765f504c44e4a959b11cc75fd5fa4aa_arm64",
                "product": {
                  "name": "registry.redhat.io/rhaiis/vllm-cuda-rhel9@sha256:64a80edcb6ff725047d8154404e95b425765f504c44e4a959b11cc75fd5fa4aa_arm64",
                  "product_id": "registry.redhat.io/rhaiis/vllm-cuda-rhel9@sha256:64a80edcb6ff725047d8154404e95b425765f504c44e4a959b11cc75fd5fa4aa_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/vllm-cuda-rhel9@sha256%3A64a80edcb6ff725047d8154404e95b425765f504c44e4a959b11cc75fd5fa4aa?arch=arm64\u0026repository_url=registry.redhat.io/rhaiis\u0026tag=3.1.0-1751522544"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "arm64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/rhaiis/vllm-cuda-rhel9@sha256:64a80edcb6ff725047d8154404e95b425765f504c44e4a959b11cc75fd5fa4aa_arm64 as a component of Red Hat AI Inference Server 3.1",
          "product_id": "Red Hat AI Inference Server 3.1:registry.redhat.io/rhaiis/vllm-cuda-rhel9@sha256:64a80edcb6ff725047d8154404e95b425765f504c44e4a959b11cc75fd5fa4aa_arm64"
        },
        "product_reference": "registry.redhat.io/rhaiis/vllm-cuda-rhel9@sha256:64a80edcb6ff725047d8154404e95b425765f504c44e4a959b11cc75fd5fa4aa_arm64",
        "relates_to_product_reference": "Red Hat AI Inference Server 3.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/rhaiis/vllm-cuda-rhel9@sha256:771bc45e13c5294baa27ea8918d2ecfe7ce89d64a36344a7ee8e70b2b8254998_amd64 as a component of Red Hat AI Inference Server 3.1",
          "product_id": "Red Hat AI Inference Server 3.1:registry.redhat.io/rhaiis/vllm-cuda-rhel9@sha256:771bc45e13c5294baa27ea8918d2ecfe7ce89d64a36344a7ee8e70b2b8254998_amd64"
        },
        "product_reference": "registry.redhat.io/rhaiis/vllm-cuda-rhel9@sha256:771bc45e13c5294baa27ea8918d2ecfe7ce89d64a36344a7ee8e70b2b8254998_amd64",
        "relates_to_product_reference": "Red Hat AI Inference Server 3.1"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-47277",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2025-05-20T18:00:58.703636+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2367605"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in vLLM. This vulnerability allows unauthorized access to key-value caches via network exposure of the `TCPStore` interface when using the `PyNcclPipe` KV cache transfer integration with the V0 engine.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "vllm: vLLM Allows Remote Code Execution via PyNcclPipe Communication Service",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "By default, Red Hat products are configured to restrict vLLM nodes to an isolated network. However, this vulnerability could become relevant if customers change the specific configurations, and therefore, Red Hat products are affected.\n\nThis vulnerability is classified as Moderate rather than Critical because its exploitability and impact are constrained by specific deployment contexts and assumptions about network trust boundaries. While the use of pickle.loads on untrusted input typically leads to remote code execution (RCE), the vulnerable PyNcclPipe interface is not intended to be exposed to the internet or untrusted networks, it is designed for use within a secured, internal cluster environment as explicitly documented by vLLM. Successful exploitation requires an attacker to have direct network access to a misconfigured or poorly segmented system where the KV cache transfer service is bound to a public interface. Additionally, the vulnerable code path exists only in a niche configuration (V0 engine with PyNcclPipe), further reducing its exposure. Therefore, while the flaw does introduce RCE risk in misconfigured setups, the combination of non-default exposure, clear documentation, and limited applicability justifies a reduced impact.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat AI Inference Server 3.1:registry.redhat.io/rhaiis/vllm-cuda-rhel9@sha256:64a80edcb6ff725047d8154404e95b425765f504c44e4a959b11cc75fd5fa4aa_arm64",
          "Red Hat AI Inference Server 3.1:registry.redhat.io/rhaiis/vllm-cuda-rhel9@sha256:771bc45e13c5294baa27ea8918d2ecfe7ce89d64a36344a7ee8e70b2b8254998_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-47277"
        },
        {
          "category": "external",
          "summary": "RHBZ#2367605",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2367605"
        },
        {
          "category": "external",
          "summary": "RHSB-2025-001",
          "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2025-001"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-47277",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-47277"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-47277",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47277"
        },
        {
          "category": "external",
          "summary": "https://docs.vllm.ai/en/latest/deployment/security.html",
          "url": "https://docs.vllm.ai/en/latest/deployment/security.html"
        },
        {
          "category": "external",
          "summary": "https://github.com/vllm-project/vllm/commit/0d6e187e88874c39cda7409cf673f9e6546893e7",
          "url": "https://github.com/vllm-project/vllm/commit/0d6e187e88874c39cda7409cf673f9e6546893e7"
        },
        {
          "category": "external",
          "summary": "https://github.com/vllm-project/vllm/pull/15988",
          "url": "https://github.com/vllm-project/vllm/pull/15988"
        },
        {
          "category": "external",
          "summary": "https://github.com/vllm-project/vllm/security/advisories/GHSA-hjq4-87xh-g4fv",
          "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-hjq4-87xh-g4fv"
        }
      ],
      "release_date": "2025-05-20T17:32:27.034000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-07-07T10:29:00+00:00",
          "details": "For more information visit https://access.redhat.com/errata/RHSA-2025:10404",
          "product_ids": [
            "Red Hat AI Inference Server 3.1:registry.redhat.io/rhaiis/vllm-cuda-rhel9@sha256:64a80edcb6ff725047d8154404e95b425765f504c44e4a959b11cc75fd5fa4aa_arm64",
            "Red Hat AI Inference Server 3.1:registry.redhat.io/rhaiis/vllm-cuda-rhel9@sha256:771bc45e13c5294baa27ea8918d2ecfe7ce89d64a36344a7ee8e70b2b8254998_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:10404"
        },
        {
          "category": "workaround",
          "details": "No mitigation is currently available that meets Red Hat Product Security\u2019s standards for usability, deployment, applicability, or stability.",
          "product_ids": [
            "Red Hat AI Inference Server 3.1:registry.redhat.io/rhaiis/vllm-cuda-rhel9@sha256:64a80edcb6ff725047d8154404e95b425765f504c44e4a959b11cc75fd5fa4aa_arm64",
            "Red Hat AI Inference Server 3.1:registry.redhat.io/rhaiis/vllm-cuda-rhel9@sha256:771bc45e13c5294baa27ea8918d2ecfe7ce89d64a36344a7ee8e70b2b8254998_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat AI Inference Server 3.1:registry.redhat.io/rhaiis/vllm-cuda-rhel9@sha256:64a80edcb6ff725047d8154404e95b425765f504c44e4a959b11cc75fd5fa4aa_arm64",
            "Red Hat AI Inference Server 3.1:registry.redhat.io/rhaiis/vllm-cuda-rhel9@sha256:771bc45e13c5294baa27ea8918d2ecfe7ce89d64a36344a7ee8e70b2b8254998_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "vllm: vLLM Allows Remote Code Execution via PyNcclPipe Communication Service"
    }
  ]
}

CVE-2025-47277 (GCVE-0-2025-47277)

Vulnerability from cvelistv5 – Published: 2025-05-20 17:32 – Updated: 2025-05-20 17:52

Title

vLLM Allows Remote Code Execution via PyNcclPipe Communication Service

Summary

vLLM, an inference and serving engine for large language models (LLMs), has an issue in versions 0.6.5 through 0.8.4 that ONLY impacts environments using the `PyNcclPipe` KV cache transfer integration with the V0 engine. No other configurations are affected. vLLM supports the use of the `PyNcclPipe` class to establish a peer-to-peer communication domain for data transmission between distributed nodes. The GPU-side KV-Cache transmission is implemented through the `PyNcclCommunicator` class, while CPU-side control message passing is handled via the `send_obj` and `recv_obj` methods on the CPU side. The intention was that this interface should only be exposed to a private network using the IP address specified by the `--kv-ip` CLI parameter. The vLLM documentation covers how this must be limited to a secured network. The default and intentional behavior from PyTorch is that the `TCPStore` interface listens on ALL interfaces, regardless of what IP address is provided. The IP address given was only used as a client-side address to use. vLLM was fixed to use a workaround to force the `TCPStore` instance to bind its socket to a specified private interface. As of version 0.8.5, vLLM limits the `TCPStore` socket to the private interface as configured.

Severity ?

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-502 - Deserialization of Untrusted Data

Assigner

GitHub_M

References

URL

Tags

	https://github.com/vllm-project/vllm/security/adv…	x_refsource_CONFIRM
	https://github.com/vllm-project/vllm/pull/15988	x_refsource_MISC
	https://github.com/vllm-project/vllm/commit/0d6e1…	x_refsource_MISC
	https://docs.vllm.ai/en/latest/deployment/security.html	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	vllm-project	vllm	Affected: >= 0.6.5, < 0.8.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-47277",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-20T17:52:22.643444Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-20T17:52:31.274Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "vllm",
          "vendor": "vllm-project",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.6.5, \u003c 0.8.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "vLLM, an inference and serving engine for large language models (LLMs), has an issue in versions 0.6.5 through 0.8.4 that ONLY impacts environments using the `PyNcclPipe` KV cache transfer integration with the V0 engine. No other configurations are affected. vLLM supports the use of the\u00a0`PyNcclPipe`\u00a0class to establish a peer-to-peer communication domain for data transmission between distributed nodes. The GPU-side KV-Cache transmission is implemented through the\u00a0`PyNcclCommunicator`\u00a0class, while CPU-side control message passing is handled via the\u00a0`send_obj`\u00a0and\u00a0`recv_obj`\u00a0methods on the CPU side.\u200b The intention was that this interface should only be exposed to a private network using the IP address specified by the `--kv-ip` CLI parameter. The vLLM documentation covers how this must be limited to a secured network. The default and intentional behavior from PyTorch is that the `TCPStore` interface listens on ALL interfaces, regardless of what IP address is provided. The IP address given was only used as a client-side address to use. vLLM was fixed to use a workaround to force the `TCPStore` instance to bind its socket to a specified private interface. As of version 0.8.5, vLLM limits the `TCPStore` socket to the private interface as configured."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502: Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-20T17:32:27.034Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-hjq4-87xh-g4fv",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-hjq4-87xh-g4fv"
        },
        {
          "name": "https://github.com/vllm-project/vllm/pull/15988",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vllm-project/vllm/pull/15988"
        },
        {
          "name": "https://github.com/vllm-project/vllm/commit/0d6e187e88874c39cda7409cf673f9e6546893e7",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vllm-project/vllm/commit/0d6e187e88874c39cda7409cf673f9e6546893e7"
        },
        {
          "name": "https://docs.vllm.ai/en/latest/deployment/security.html",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.vllm.ai/en/latest/deployment/security.html"
        }
      ],
      "source": {
        "advisory": "GHSA-hjq4-87xh-g4fv",
        "discovery": "UNKNOWN"
      },
      "title": "vLLM Allows Remote Code Execution via PyNcclPipe Communication Service"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-47277",
    "datePublished": "2025-05-20T17:32:27.034Z",
    "dateReserved": "2025-05-05T16:53:10.373Z",
    "dateUpdated": "2025-05-20T17:52:31.274Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2025:10404

CVE-2025-47277 (GCVE-0-2025-47277)

Tags

Sightings

Nomenclature