CVE-2025-30165: 
Chainguard vulnerability analysis and mitigation

vLLM, an inference and serving engine for large language models, contains a remote code execution vulnerability (CVE-2025-30165) discovered and disclosed on May 6, 2025. The vulnerability affects vLLM versions >=0.5.2 specifically in deployments using tensor parallelism across multiple hosts with the V0 engine. The issue has been assigned a CVSS v3.1 base score of 8.0 (High) (GHSA Advisory).

The vulnerability exists in the multi-node communication mechanism where secondary vLLM hosts open a 'SUB' ZeroMQ socket and connect to an 'XPUB' socket on the primary vLLM host. When data is received on this SUB socket, it is deserialized using Python's pickle module, which is inherently unsafe as it can lead to arbitrary code execution. The vulnerability has been classified as CWE-502 (Deserialization of Untrusted Data) (NVD, GHSA Advisory).

If exploited, this vulnerability could allow attackers to execute arbitrary code on remote machines within the vLLM deployment. The vulnerability serves as an escalation point - if the primary vLLM host is compromised, it could be used to compromise all other hosts in the vLLM deployment. Additionally, attackers could exploit the vulnerability through other means, such as ARP cache poisoning, to redirect traffic to a malicious endpoint and execute arbitrary code on target machines (GHSA Advisory).

The maintainers have decided not to fix this issue since the V0 engine has been off by default since v0.8.0 and the fix would be invasive. Users are recommended to ensure their environment is on a secure network if this pattern is in use. The V1 engine is not affected by this vulnerability and should be used instead (GHSA Advisory).