What is CVE-2025-32444?

CVE-2025-32444 is a critical-severity vulnerability in Vllm-project Vllm, classified under Deserialization of Untrusted Data. CVSS score: 10.0/10. Published 2025-04-30.

How severe is CVE-2025-32444?

Critical severity. CVSS v3 base score is 10.0 out of 10.

Is CVE-2025-32444 known to be exploited?

3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Deserialization in Vllm-project Vllm

CVE-2025-32444

vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Versions starting from 0.6.5 and prior to 0.8.5, having vLLM integration with mooncake, are vulnerable to remote code execution due to using pickle based…

Vulnerability class: Insecure Deserialization

EPSS: 0.025 (85.6th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 10.0 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.

Affected products

Vllm-project Vllm — versions >= 0.6.5, < 0.8.5

Weakness classification (CWE)

CWE-502 — Deserialization of Untrusted Data

Public proof-of-concept exploits

References

https://github.com/vllm-project/vllm/security/advisories/GHSA-hj4w-hm2g-p6w5 (x_refsource_CONFIRM)
https://github.com/vllm-project/vllm/security/advisories/GHSA-x3m8-f7g5-qhm7 (x_refsource_MISC)
https://github.com/vllm-project/vllm/commit/a5450f11c95847cf51a17207af9a3ca5ab569b2c (x_refsource_MISC)
https://github.com/vllm-project/vllm/blob/32b14baf8a1f7195ca09484de3008063569b43c5/vllm/distributed/kv_transfer/kv_pipe/mooncake_pipe.py#L179 (x_refsource_MISC)

Frequently asked questions

What is CVE-2025-32444?: CVE-2025-32444 is a critical-severity vulnerability in Vllm-project Vllm, classified under Deserialization of Untrusted Data. CVSS score: 10.0/10. Published 2025-04-30.
How severe is CVE-2025-32444?: Critical severity. CVSS v3 base score is 10.0 out of 10.
Is CVE-2025-32444 known to be exploited?: 3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.