CVE-2025-47277
📋 TL;DR
This vulnerability in vLLM versions 0.6.5 through 0.8.4 exposes the TCPStore interface on ALL network interfaces instead of only the specified private interface when using PyNcclPipe KV cache transfer with the V0 engine. This allows unauthorized network access to the KV cache communication channel. Only environments using this specific distributed configuration are affected.
💻 Affected Systems
- vLLM
📦 What is this software?
Vllm by Vllm
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution, data exfiltration, or complete system compromise via unauthorized access to the distributed communication channel.
Likely Case
Unauthorized access to sensitive model data, inference manipulation, or denial of service through network exploitation of the exposed interface.
If Mitigated
Limited to internal network access only, with proper network segmentation preventing external exploitation.
🎯 Exploit Status
The vulnerability exposes a network interface that should be private, making exploitation straightforward for attackers with network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.8.5
Vendor Advisory: https://github.com/vllm-project/vllm/security/advisories/GHSA-hjq4-87xh-g4fv
Restart Required: Yes
Instructions:
1. Upgrade vLLM to version 0.8.5 or later using pip: pip install vllm>=0.8.5
2. Restart all vLLM services using the updated version
3. Verify the fix by checking that TCPStore now binds only to the specified private interface
🔧 Temporary Workarounds
Network Segmentation
linuxIsolate the vLLM deployment network using firewall rules to restrict access to only authorized hosts.
iptables -A INPUT -p tcp --dport [KV_CACHE_PORT] -s [AUTHORIZED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [KV_CACHE_PORT] -j DROP
Disable PyNcclPipe Integration
allTemporarily disable the vulnerable PyNcclPipe KV cache transfer feature if not essential.
Modify vLLM configuration to use alternative KV cache transfer methods
🧯 If You Can't Patch
- Implement strict network access controls and firewall rules to limit access to the vLLM service ports
- Deploy vLLM in an isolated network segment with no internet or unauthorized network access
🔍 How to Verify
Check if Vulnerable:
Check vLLM version and configuration: 1. Run vLLM with --version flag 2. Verify if using PyNcclPipe with V0 engine 3. Check if version is between 0.6.5 and 0.8.4Check Version:
python -c "import vllm; print(vllm.__version__)" or vllm --versionVerify Fix Applied:
After patching: 1. Confirm vLLM version is 0.8.5 or higher 2. Use netstat or ss to verify TCPStore socket is bound only to the specified private interface 3. Test that unauthorized network access is blocked📡 Detection & Monitoring
Log Indicators:
- Unauthorized connection attempts to vLLM KV cache ports
- Unexpected network traffic to vLLM service ports
- Errors in vLLM logs related to network connections
Network Indicators:
- Unexpected TCP connections to vLLM KV cache ports from unauthorized IPs
- Network scans targeting vLLM service ports
- Anomalous data transfer patterns from vLLM nodes
SIEM Query:
source="vllm.logs" AND ("connection refused" OR "unauthorized access" OR "bind error") OR destination_port IN (vllm_kv_cache_ports) AND src_ip NOT IN (authorized_ips)