vllm-project vllm version v0.6.2 contains a vulnerability in the MessageQueue.dequeue() API function. The function uses pickle.loads to parse received sockets directly, leading to a remote code execution vulnerability. An attacker can exploit this by sending a malicious payload to the MessageQueue, causing the victim's machine to execute arbitrary code.
The MessageQueue.dequeue() function directly passes data received from a network socket to the pickle.loads function without performing any validation or source verification. The pickle mechanism in Python is inherently unsafe when deserializing untrusted data, as it allows arbitrary executable code to be embedded in the payload. An attacker can send a crafted payload to the MessageQueue queue, which will be automatically deserialized and executed on the victim's machine.
An unauthenticated attacker can remotely execute arbitrary code on the server (RCE), which in practice means complete system takeover, data theft, backdoor installation, or further network propagation (lateral movement).
Apply patches available from the vendor according to the references. Patch details are available at: https://huntr.com/bounties/00136195-11e0-4ad0-98d5-72db066e867f. Until the patch is deployed, restrict network access to the MessageQueue API exclusively to trusted hosts using a firewall or network rules.
vllm-project vllm version v0.6.2
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HVllm
APPVllm0.6.2
Related vulnerabilities
Pominięcie uwierzytelnienia w vLLM — bypass klucza API OpenAI
vLLM: wyciek adresu sterty umożliwiający RCE przez endpoint multimodalny
vLLM: niezamierzone nasłuchiwanie TCPStore na wszystkich interfejsach sieciowych
RCE w vLLM poprzez deserializację pickle na niezabezpieczonych gniazdach ZeroMQ
RCE przez niebezpieczną deserializację w vLLM z Mooncake (ZMQ/TCP)