Deserialization of Untrusted Data Affecting vllm-cuda-rhel9 package, versions *
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Deserialization of Untrusted Data vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-RHEL10-VLLMCUDARHEL9-10223291
- published26 May 2025
- disclosed20 May 2025
Introduced: 20 May 2025
NewCVE-2025-47277 (opens in a new tab)How to fix?
There is no fixed version for RHEL:10 vllm-cuda-rhel9.
NVD Description
Note: Versions mentioned in the description apply only to the upstream vllm-cuda-rhel9 package and not the vllm-cuda-rhel9 package as distributed by RHEL.
See How to fix? for RHEL:10 relevant fixed versions and status.
vLLM, an inference and serving engine for large language models (LLMs), has an issue in versions 0.6.5 through 0.8.4 that ONLY impacts environments using the PyNcclPipe KV cache transfer integration with the V0 engine. No other configurations are affected. vLLM supports the use of the PyNcclPipe class to establish a peer-to-peer communication domain for data transmission between distributed nodes. The GPU-side KV-Cache transmission is implemented through the PyNcclCommunicator class, while CPU-side control message passing is handled via the send_obj and recv_obj methods on the CPU side. The intention was that this interface should only be exposed to a private network using the IP address specified by the --kv-ip CLI parameter. The vLLM documentation covers how this must be limited to a secured network. The default and intentional behavior from PyTorch is that the TCPStore interface listens on ALL interfaces, regardless of what IP address is provided. The IP address given was only used as a client-side address to use. vLLM was fixed to use a workaround to force the TCPStore instance to bind its socket to a specified private interface. As of version 0.8.5, vLLM limits the TCPStore socket to the private interface as configured.
References
- https://bugzilla.redhat.com/show_bug.cgi?id=2367605
- https://access.redhat.com/security/vulnerabilities/RHSB-2025-001
- https://access.redhat.com/security/cve/CVE-2025-47277
- https://docs.vllm.ai/en/latest/deployment/security.html
- https://github.com/vllm-project/vllm/commit/0d6e187e88874c39cda7409cf673f9e6546893e7
- https://github.com/vllm-project/vllm/pull/15988
- https://github.com/vllm-project/vllm/security/advisories/GHSA-hjq4-87xh-g4fv