*By [Your Name], June 2024*
Overview
CVE-2025-47277 refers to a network exposure vulnerability in vLLM, a popular high-performance inference engine for Large Language Models (LLMs). The issue exclusively affects setups that use the PyNcclPipe integration for key-value (KV) cache transfer, on versions v.6.5 through v.8.4 — and only with the *V engine*.
If your stack does not use the PyNcclPipe for KV-cache transfer, your deployment isn't exposed. Still, given how easy it may be to misconfigure, and that vLLM often powers models with sensitive data or significant compute, a deeper understanding matters.
This post will detail what the bug is, why it matters, how it can be exploited, and how to fix it with code and configuration.
PyNcclCommunicator: Handles *GPU-side* transfer.
- send_obj/recv_obj: Methods for *CPU-side* message passing.
Intended Security
The PyNcclPipe setup lets nodes exchange GPU KV-Cache data efficiently, and is supposed to only be reachable on a private, secured network (e.g., 10.x or 192.168.x addresses). The vLLM docs explicitly state the IP needs to be locked down, passed at runtime via the --kv-ip parameter.
Expectation: Only private-LAN devices should be able to talk to this socket.
The Flaw
PyTorch's TCPStore *ignores* the given listen IP and binds its socket to all network interfaces (...), not the one specified. Thus, even with a supposedly "private" IP passed, anyone with network reach—WAN, cloud VPC, VPNs, etc.—could potentially access the distributed service.
Example Configuration
# (Assuming a typical launch command)
python -m vllm.entrypoints.openai.api_server \
--host ... \
--kv-ip 10...42 \
--kv-port 13500
You intended only internal 10...42 traffic to connect.
But internally, PyTorch's TCPStore runs
self.server_socket.bind(('...', 13500)) # All interfaces!
What's Actually Exposed?
All CPU-side control messages for KV Cache transfers are now world-accessible. A remote attacker discovering the socket (via scan, misconfigured firewall, or cloud misnetworking) could:
Disrupt inference communication protocol
- Try arbitrary deserialization payloads (send_obj/recv_obj)
- Potentially trigger RCE if downstream code base is unguarded/unserialized
Here’s how an attacker could interact directly with the TCPStore server
import socket
s = socket.socket()
s.connect(('target-vllm-ip', 13500)) # 13500 is the --kv-port
# At this point, with the protocol, attacker can start sending/receiving control messages, or fuzz for vulnerabilities.
The actual TCPStore protocol is not HTTP, but a simple socket connection; attackers can scan for open ports then brute or fuzz, seeking infoleaks or memory corruption.
As of vLLM .8.5, the TCPStore gets forced to bind only to the desired private IP interface.
Reference commit:
- vLLM fix PR #xxx (Link to actual PR fixing it)
A workaround instructs TCPStore to use the specified interface
if version >= v.8.5:
self.server_socket.bind((kv_ip, kv_port)) # Only on specified interface
else:
# Before fix: Binds to ... regardless of kv_ip!
self.server_socket.bind(('...', kv_port))
Upgrade immediately to vLLM .8.5+
See: vLLM Release Notes
Original Issue Report:
GitHub Issue (add actual issue link if public)
vLLM Security Advisories:
TCPStore Documentation:
PyTorch TCPStore docs
CVE Details:
- NIST: CVE-2025-47277 (will be live once database updates)
Summary
- If you use vLLM in distributed mode, and especially with PyNcclPipe, this CVE means your backend transfer protocol may be exposed to everyone on your network, *not just* those on the private subnet you specified.
- All vLLM users using versions .6.5 to .8.4 must upgrade to v.8.5 or higher, and audit what ports/IPs are reachable until then.
- Do not trust --kv-ip alone for security until patched—check your firewalls and your vLLM version.
Timeline
Published on: 05/20/2025 18:15:46 UTC
Last modified on: 05/21/2025 20:24:58 UTC