一、 漏洞 CVE-2025-30202 基础信息
漏洞信息
                                        # 通过ZeroMQ在多节点vLLM部署中暴露数据

N/A
提示
尽管我们采用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
漏洞标题
Data exposure via ZeroMQ on multi-node vLLM deployment
来源:美国国家漏洞数据库 NVD
漏洞描述信息
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Versions starting from 0.5.2 and prior to 0.8.5 are vulnerable to denial of service and data exposure via ZeroMQ on multi-node vLLM deployment. In a multi-node vLLM deployment, vLLM uses ZeroMQ for some multi-node communication purposes. The primary vLLM host opens an XPUB ZeroMQ socket and binds it to ALL interfaces. While the socket is always opened for a multi-node deployment, it is only used when doing tensor parallelism across multiple hosts. Any client with network access to this host can connect to this XPUB socket unless its port is blocked by a firewall. Once connected, these arbitrary clients will receive all of the same data broadcasted to all of the secondary vLLM hosts. This data is internal vLLM state information that is not useful to an attacker. By potentially connecting to this socket many times and not reading data published to them, an attacker can also cause a denial of service by slowing down or potentially blocking the publisher. This issue has been patched in version 0.8.5.
来源:美国国家漏洞数据库 NVD
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
来源:美国国家漏洞数据库 NVD
漏洞类别
不加限制或调节的资源分配
来源:美国国家漏洞数据库 NVD
漏洞标题
vLLM 安全漏洞
来源:中国国家信息安全漏洞库 CNNVD
漏洞描述信息
vLLM是vLLM开源的一个适用于 LLM 的高吞吐量和内存高效推理和服务引擎。 vLLM 0.5.2至0.8.5之前版本存在安全漏洞,该漏洞源于ZeroMQ可能导致拒绝服务和数据暴露。
来源:中国国家信息安全漏洞库 CNNVD
CVSS信息
N/A
来源:中国国家信息安全漏洞库 CNNVD
漏洞类别
其他
来源:中国国家信息安全漏洞库 CNNVD
二、漏洞 CVE-2025-30202 的公开POC
# POC 描述 源链接 神龙链接
三、漏洞 CVE-2025-30202 的情报信息

  • 标题: [core][distributed] add zmq fallback for broadcasting large objects by youkaichao · Pull Request #6183 · vllm-project/vllm · GitHub -- 🔗来源链接

    标签: x_refsource_MISC

    [core][distributed] add zmq fallback for broadcasting large objects by youkaichao · Pull Request #6183 · vllm-project/vllm · GitHub

  • 标题: Denial of Service via ZeroMQ on Multi-node vLLM Deployment · Advisory · vllm-project/vllm · GitHub -- 🔗来源链接

    标签: x_refsource_CONFIRM

    Denial of Service via ZeroMQ on Multi-node vLLM Deployment · Advisory · vllm-project/vllm · GitHub

  • 标题: [Security] Don't bind tcp zmq socket to all interfaces (#17197) · vllm-project/vllm@a0304dc · GitHub -- 🔗来源链接

    标签: x_refsource_MISC

    [Security] Don't bind tcp zmq socket to all interfaces (#17197) · vllm-project/vllm@a0304dc · GitHub
  • https://nvd.nist.gov/vuln/detail/CVE-2025-30202