#VU121143 Deserialization of untrusted data in vLLM - CVE-2025-30165

Cybersecurity Help s.r.o.

Published: 2026-01-09

Vulnerability identifier: #VU121143

Vulnerability risk: Medium

CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-30165

CWE-ID: CWE-502

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
vLLM
Universal components / Libraries / Libraries used by multiple products

Vendor: vLLM

Description

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data in multi-node cluster configuration within the V0 engine. A remote user can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

vLLM: 0.5.2 - 0.9.2

External links
https://github.com/vllm-project/vllm/security/advisories/GHSA-9pcc-gvx5-r5wm

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

Deserialization of untrusted data in vLLM multi-node cluster configuration