What is CVE-2025-29783?

CVE-2025-29783 is a critical-severity vulnerability in Vllm-project Vllm, classified under Deserialization of Untrusted Data. CVSS score: 9.1/10. Published 2025-03-19.

How severe is CVE-2025-29783?

Critical severity. CVSS v3 base score is 9.1 out of 10.

Is CVE-2025-29783 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Deserialization in Vllm-project Vllm

CVE-2025-29783

vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. When vLLM is configured to use Mooncake, unsafe deserialization exposed directly over ZMQ/TCP on all network interfaces will allow attackers to execute r…

Vulnerability class: Insecure Deserialization

EPSS: 0.021 (84.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.1 (Critical). Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H.

Affected products

Vllm-project Vllm — versions >= 0.6.5, < 0.8.0

Weakness classification (CWE)

CWE-502 — Deserialization of Untrusted Data

Public proof-of-concept exploits

honysyang/eleaipoc

References

https://github.com/vllm-project/vllm/security/advisories/GHSA-x3m8-f7g5-qhm7 (x_refsource_CONFIRM)
https://github.com/vllm-project/vllm/pull/14228 (x_refsource_MISC)
https://github.com/vllm-project/vllm/commit/288ca110f68d23909728627d3100e5a8db820aa2 (x_refsource_MISC)

Frequently asked questions

What is CVE-2025-29783?: CVE-2025-29783 is a critical-severity vulnerability in Vllm-project Vllm, classified under Deserialization of Untrusted Data. CVSS score: 9.1/10. Published 2025-03-19.
How severe is CVE-2025-29783?: Critical severity. CVSS v3 base score is 9.1 out of 10.
Is CVE-2025-29783 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.