Cybersecurity researchers have identified critical remote code execution (RCE) vulnerabilities impacting major AI inference frameworks, including those maintained by Meta, Nvidia, Microsoft, and open-source projects like vLLM and SGLang. These flaws, collectively termed the ShadowMQ pattern, stem from unsafe deserialization of Python objects over ZeroMQ (ZMQ) sockets.
Root Cause: Unsafe Deserialization
According to Avi Lumelsky of Oligo Security, the vulnerabilities originate from an overlooked design pattern involving Python’s pickle module coupled with exposed ZMQ sockets. The most prominent case was discovered in Meta’s Llama LLM framework (CVE-2024-50050, CVSS 6.3/9.3), which used recv_pyobj() to deserialize incoming data over network-exposed sockets, allowing attackers to execute arbitrary code remotely.
Subsequent investigation revealed that the same unsafe approach has propagated across other frameworks, including:
- NVIDIA TensorRT-LLM
- Microsoft Sarathi-Serve
- Modular Max Server
- vLLM
- SGLang
Lumelsky explained that this code reuse often involves copy-paste practices, making multiple frameworks susceptible to identical vulnerabilities.
Assigned CVEs and Patch Status
The key vulnerabilities and their current status include:
- CVE-2025-30165 – vLLM (Mitigated by switching to V1 engine)
- CVE-2025-23254 – NVIDIA TensorRT-LLM (Fixed in version 0.18.2)
- CVE-2025-60455 – Modular Max Server (Fixed)
- Sarathi-Serve – Still unpatched
- SGLang – Partial mitigation implemented
Impact on AI Infrastructure
AI inference engines are central components in machine learning clusters. Exploiting a single vulnerable node can allow attackers to:
- Execute arbitrary code across the cluster
- Escalate privileges
- Steal AI models
- Deploy malicious payloads such as cryptocurrency miners
“The speed of AI development and frequent code reuse accelerates the propagation of insecure patterns,” Lumelsky noted.
Related Browser-Based Threats
Separately, Knostic researchers discovered JavaScript injection attacks targeting Cursor, an AI-powered source code editor. Attackers could register rogue Model Context Protocol (MCP) servers to inject malicious code, redirecting users to fake login pages and harvesting credentials.
Since Cursor is based on Visual Studio Code, malicious extensions or MCP servers can inherit IDE privileges, potentially gaining full file system access and the ability to persist code execution.
Mitigation Recommendations
To protect against these attacks, researchers recommend:
- Disabling auto-run in IDEs
- Verifying the trustworthiness of extensions
- Installing MCP servers from reputable sources only
- Auditing server code and limiting API permissions
- Monitoring for unusual file or network activity
