SCA: security update for vllm (GHSA-9f8f-2vmf-885j)

high Tenable Cloud Security Plugin ID 425771

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Versions starting
from 0.5.2 and prior to 0.8.5 are vulnerable to denial of service and data exposure via ZeroMQ on multi-
node vLLM deployment. In a multi-node vLLM deployment, vLLM uses ZeroMQ for some multi-node communication
purposes. The primary vLLM host opens an XPUB ZeroMQ socket and binds it to ALL interfaces. While the
socket is always opened for a multi-node deployment, it is only used when doing tensor parallelism across
multiple hosts. Any client with network access to this host can connect to this XPUB socket unless its
port is blocked by a firewall. Once connected, these arbitrary clients will receive all of the same data
broadcasted to all of the secondary vLLM hosts. This data is internal vLLM state information that is not
useful to an attacker. By potentially connecting to this socket many times and not reading data published
to them, an attacker can also cause a denial of service by slowing down or potentially blocking the
publisher. This issue has been patched in version 0.8.5. (CVE-2025-30202)

Solution

Update the vllm library and its related packages to version 0.8.5 or later.

See Also

https://github.com/advisories/GHSA-9f8f-2vmf-885j

Plugin Details

Severity: High

ID: 425771

Version: Revision 1.8

Type: Local

Family: SCA Checks

Published: 4/29/2025

Updated: 7/17/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.66

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2025-30202

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/29/2025

Vulnerability Publication Date: 4/29/2025

Reference Information

CVE: CVE-2025-30202

cwe: CWE-770