This vulnerability allows remote code execution in vllm versions starting from 0.6.5 and prior to 0.8.5. The vulnerability arises from the use of pickle-based serialization over unsecured ZeroMQ sockets, which were configured to listen on all network interfaces, thereby increasing the risk of exploitation. As a result, attackers can potentially access these vulnerable sockets and execute arbitrary code remotely. Organizations utilizing vllm without the mooncake integration are not affected by this vulnerability.
The severity of this vulnerability is classified as critical, with a CVSS score of 10.0, indicating a high likelihood of successful exploitation. The urgency for organizations to address this issue is paramount, as the potential risk includes significant impacts on confidentiality, integrity, and availability.
Although there is currently no known exploit available for this vulnerability, the nature of remote code execution vulnerabilities means that they can be rapidly developed by malicious actors. Organizations should prioritize patching to version 0.8.5, where this issue has been addressed.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)