Impacted Deployments
Note that vLLM instances that do NOT make use of the mooncake integration are NOT vulnerable.
Description
vLLM integration with mooncake is vaulnerable to remote code execution due to using pickle based serialization over unsecured ZeroMQ sockets. The vulnerable sockets were set to listen on all network interfaces, increasing the likelihood that an attacker is able to reach the vulnerable ZeroMQ sockets to carry out an attack.
This is a similar to GHSA - x3m8 - f7g5 - qhm7, the problem is in
|
ack = self.sender_ack.recv_pyobj() |
Here recv_pyobj() Contains implicit pickle.loads(), which leads to potential RCE.
Finder is kexoh (Xiangfan Wu) from XingTu Team of Legendsec at QI-ANXIN Group.
kexinoh Reporter
ShangmingCai Remediation developer
russellb Coordinator
Impacted Deployments
Note that vLLM instances that do NOT make use of the mooncake integration are NOT vulnerable.
Description
vLLM integration with mooncake is vaulnerable to remote code execution due to using
picklebased serialization over unsecured ZeroMQ sockets. The vulnerable sockets were set to listen on all network interfaces, increasing the likelihood that an attacker is able to reach the vulnerable ZeroMQ sockets to carry out an attack.This is a similar to GHSA - x3m8 - f7g5 - qhm7, the problem is in
vllm/vllm/distributed/kv_transfer/kv_pipe/mooncake_pipe.py
Line 179 in 32b14ba
Here recv_pyobj() Contains implicit
pickle.loads(), which leads to potential RCE.Finder is kexoh (Xiangfan Wu) from XingTu Team of Legendsec at QI-ANXIN Group.