Cybersecurity researchers have uncovered essential distant code execution vulnerabilities impacting main synthetic intelligence (AI) inference engines, together with these from Meta, Nvidia, Microsoft, and open-source PyTorch initiatives equivalent to vLLM and SGLang.
“These vulnerabilities all traced again to the identical root trigger: the neglected unsafe use of ZeroMQ (ZMQ) and Python’s pickle deserialization,” Oligo Safety researcher Avi Lumelsky mentioned in a report revealed Thursday.
At its core, the difficulty stems from what has been described as a sample referred to as ShadowMQ, during which the insecure deserialization logic has propagated to a number of initiatives on account of code reuse.
The foundation trigger is a vulnerability in Meta’s Llama massive language mannequin (LLM) framework (CVE-2024-50050, CVSS rating: 6.3/9.3) that was patched by the corporate final October. Particularly, it concerned using ZeroMQ’s recv_pyobj() technique to deserialize incoming information utilizing Python’s pickle module.
This, coupled with the truth that the framework uncovered the ZeroMQ socket over the community, opened the door to a situation the place an attacker can execute arbitrary code by sending malicious information for deserialization. The difficulty has additionally been addressed within the pyzmq Python library.
Oligo has since found the identical sample recurring in different inference frameworks, equivalent to NVIDIA TensorRT-LLM, Microsoft Sarathi-Serve, Modular Max Server, vLLM, and SGLang.
“All contained almost an identical unsafe patterns: pickle deserialization over unauthenticated ZMQ TCP sockets,” Lumelsky mentioned. “Completely different maintainers and initiatives maintained by completely different corporations – all made the identical mistake.”
Tracing the origins of the issue, Oligo discovered that in no less than a couple of circumstances, it was the results of a direct copy-paste of code. For instance, the weak file in SGLang says it is tailored by vLLM, whereas Modular Max Server has borrowed the identical logic from each vLLM and SGLang, successfully perpetuating the identical flaw throughout codebases.
The problems have been assigned the next identifiers –
- CVE-2025-30165 (CVSS rating: 8.0) – vLLM (Whereas the difficulty just isn’t fastened, it has been addressed by switching to the V1 engine by default)
- CVE-2025-23254 (CVSS rating: 8.8) – NVIDIA TensorRT-LLM (Fastened in model 0.18.2)
- CVE-2025-60455 (CVSS rating: N/A) – Modular Max Server (Fastened)
- Sarathi-Serve (Stays unpatched)
- SGLang (Carried out incomplete fixes)
With inference engines performing as an important part inside AI infrastructures, a profitable compromise of a single node might allow an attacker to execute arbitrary code on the cluster, escalate privileges, conduct mannequin theft, and even drop malicious payloads like cryptocurrency miners for monetary acquire.
“Initiatives are transferring at unimaginable velocity, and it’s normal to borrow architectural elements from friends,” Lumelsky mentioned. “However when code reuse contains unsafe patterns, the results ripple outward quick.”
The disclosure comes as a brand new report from AI security platform Knostic has discovered that it is doable to compromise Cursor’s new built-in browser by way of JavaScript injection strategies, to not point out leverage a malicious extension to facilitate JavaScript injection as a way to take management of the developer workstation.
The primary assault includes registering a rogue native Mannequin Context Protocol (MCP) server that bypasses Cursor’s controls to permit an attacker to exchange the login pages inside the browser with a bogus web page that harvests credentials and exfiltrates them to a distant server underneath their management.
“As soon as a consumer downloaded the MCP server and ran it, utilizing an mcp.json file inside Cursor, it injected code into Cursor’s browser that led the consumer to a faux login web page, which stole their credentials and despatched them to a distant server,” security researcher Dor Munis mentioned.
On condition that the AI-powered supply code editor is basically a fork of Visible Studio Code, a foul actor might additionally craft a malicious extension to inject JavaScript into the working IDE to execute arbitrary actions, together with marking innocent Open VSX extensions as “malicious.”
“JavaScript working contained in the Node.js interpreter, whether or not launched by an extension, an MCP server, or a poisoned immediate or rule, instantly inherits the IDE’s privileges: full file-system entry, the flexibility to change or substitute IDE features (together with put in extensions), and the flexibility to persist code that reattaches after a restart,” the corporate mentioned.
“As soon as interpreter-level execution is on the market, an attacker can flip the IDE right into a malware distribution and exfiltration platform.”
To counter these dangers, it is important that customers disable Auto-Run options of their IDEs, vet extensions, set up MCP servers from trusted builders and repositories, test what information and APIs the servers entry, use API keys with minimal required permissions, and audit MCP server supply code for essential integrations.
