A critical vulnerability—CVE-2025-47277—has been disclosed in vLLM, a high-performance inference and serving engine for large language models (LLMs). The flaw enables remote code execution (RCE) via an unsafe deserialization bug in the PyNcclPipe communication service, and has been assigned a CVSS score of 9.8.
Originally developed at UC Berkeley’s Sky Computing Lab, vLLM is now a community-driven project that provides a fast and easy-to-use library for LLM inference and serving. It supports distributed deployment, advanced KV cache management, and is integrated with industry-scale LLM infrastructure.
The vulnerability is present in the PyNcclPipe class, which facilitates KV cache transfer between distributed nodes using peer-to-peer messaging. The CPU-side message passing mechanism uses Python’s pickle module to serialize and deserialize data.
“The PyNcclPipe implementation contains a critical security flaw where it directly processes client-provided data using pickle.loads, creating an unsafe deserialization vulnerability that can lead to Remote Code Execution,” the advisory explains.
By sending a maliciously crafted object to a running PyNcclPipe service, an attacker can exploit this flaw to execute arbitrary system commands on the host, effectively gaining full control of the server.
The root issue also traces back to PyTorch’s TCPStore binding behavior: “The default behavior from PyTorch is that the TCPStore interface will listen on ALL interfaces, regardless of what IP address is provided.”
vLLM has implemented a workaround to ensure it binds to a specified private interface, reducing the risk of exposure. Users are recommend to update immediately to vLLM v0.8.5.