Critical Remote Code Execution Vulnerability in vLLM via Mooncake Integration - #CVE-2025-29783
A critical security vulnerability (CVE-2025-29783) with a maximum CVSS score of 10 has been discovered in vLLM, a popular library for Large Language Model inference and serving. The vulnerability, affecting versions 0.6.5 to 0.7.x, is related to vLLM's integration with Mooncake for distributed LLM deployments. It stems from an unsafe deserialization process using pickle.loads() over ZMQ/TCP, potentially allowing remote code execution on distributed hosts. The lack of network controls and authentication exacerbates the risk. Users are strongly advised to upgrade to version 0.8.0 immediately, as it contains the necessary patch to address this serious security flaw.