Overview
In the realm of cybersecurity, the discovery and understanding of vulnerabilities is a critical endeavor. The vulnerability we’re exploring today, known as CVE-2025-30165, is a serious security issue that affects vLLM, an inference and serving engine for large language models. This vulnerability specifically affects the V0 engine in a multi-node deployment of vLLM. The consequences of this vulnerability could be catastrophic, potentially leading to system compromises and data leakage. This issue matters greatly because it could allow attackers to execute arbitrary code on remote machines, leading to a serious security breach if not mitigated promptly.
Vulnerability Summary
CVE ID: CVE-2025-30165
Severity: High (8.0 CVSS score)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: Potential system compromise or data leakage
Affected Products
Escape the Surveillance Era
You just read how systems get breached.
What most apps won’t tell you is — they’re part of the problem.
Phone numbers. Emails. Profiles. Logs.
It’s all fuel for surveillance.
Ameeba Chat gives you a way out.
- • No phone number
- • No email
- • No personal info
- • Anonymous aliases
- • End-to-end encrypted
Chat without a trace.
Product | Affected Versions
vLLM | Up to v0.8.0
How the Exploit Works
The vulnerability lies in vLLM’s use of ZeroMQ for multi-node communication in its V0 engine. The secondary vLLM hosts open a `SUB` ZeroMQ socket and connect to an `XPUB` socket on the primary vLLM host. When data is received on this `SUB` socket, it is deserialized with `pickle`. The issue lies with this deserialization, which can be exploited to execute arbitrary code on a remote machine.
An attacker, having compromised the primary vLLM host, could abuse this vulnerability to compromise the rest of the hosts in the vLLM deployment. Alternatively, an attacker could also exploit the vulnerability indirectly, for instance, by using ARP cache poisoning to redirect traffic to a malicious endpoint and deliver a payload with arbitrary code to execute on the target machine.
Conceptual Example Code
Below is a conceptual example of an arbitrary payload that could potentially exploit this vulnerability.
import zmq
import pickle
# Set up a ZeroMQ context
context = zmq.Context()
# Set up a SUB socket and connect to the XPUB socket on the primary vLLM host
subscriber = context.socket(zmq.SUB)
subscriber.connect("tcp://localhost:5556")
# Listen for data on the SUB socket
while True:
[address, contents] = subscriber.recv_multipart()
# Deserialize the received data with pickle
payload = pickle.loads(contents)
# An arbitrary payload that executes code on the remote machine
exec(payload)Note: This is merely a conceptual example and not actual exploit code. It is intended to illustrate the vulnerability and is not suitable for actual use.
