CVE-2025-47277: vLLM Allows Remote Code Execution via PyNcclPipe Communication Service
vLLM supports the use of the PyNcclPipe class to establish a peer-to-peer communication domain for data transmission between distributed nodes. The GPU-side KV-Cache transmission is implemented through the PyNcclCommunicator class, while CPU-side control message passing is handled via the send_obj and recv_obj methods on the CPU side.
A remote code execution vulnerability exists in the PyNcclPipe service. Attackers can exploit this by sending malicious serialized data to gain server control privileges.
The intention was that this interface should only be exposed to a private network using the IP address specified by the --kv-ip CLI parameter. The vLLM documentation covers how this must be limited to a secured network: https://docs.vllm.ai/en/latest/deployment/security.html
Unfortunately, the default behavior from PyTorch is that the TCPStore interface will listen on ALL interfaces, regardless of what IP address is provided. The IP address given was only used as a client-side address to use. vLLM was fixed to use a workaround to force the TCPStore instance to bind its socket to a specified private interface.
This issue was reported privately to PyTorch and they determined that this behavior was intentional.
References
- docs.vllm.ai/en/latest/deployment/security.html
- github.com/advisories/GHSA-hjq4-87xh-g4fv
- github.com/vllm-project/vllm
- github.com/vllm-project/vllm/commit/0d6e187e88874c39cda7409cf673f9e6546893e7
- github.com/vllm-project/vllm/pull/15988
- github.com/vllm-project/vllm/security/advisories/GHSA-hjq4-87xh-g4fv
- nvd.nist.gov/vuln/detail/CVE-2025-47277
Code Behaviors & Features
Detect and mitigate CVE-2025-47277 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →