{"data":{"id":"97c493ed-868b-4e5f-a348-b0828eb14c7c","title":"CVE-2025-47277: vLLM, an inference and serving engine for large language models (LLMs), has an issue in versions 0.6.5 through 0.8.4 tha","summary":"vLLM versions 0.6.5 through 0.8.4 have a vulnerability when using `PyNcclPipe` (a tool for peer-to-peer communication between multiple computers running the AI model) with the V0 engine. The issue is that a network communication interface called `TCPStore` was listening on all network connections instead of just the private network specified by the `--kv-ip` parameter, potentially exposing the system to unauthorized access.","solution":"Update to vLLM version 0.8.5 or later. According to the source: \"As of version 0.8.5, vLLM limits the `TCPStore` socket to the private interface as configured.\"","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2025-47277","publishedAt":"2025-05-20T22:15:46.730Z","cveId":"CVE-2025-47277","cweIds":["CWE-502"],"cvssScore":"9.8","cvssSeverity":"critical","severity":"critical","attackType":["other"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["HuggingFace"],"affectedVendorsRaw":["vLLM"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.00409,"patchAvailable":null,"disclosureDate":null,"capecIds":["CAPEC-586"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity"],"aiComponentTargeted":"inference","llmSpecific":true,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}