Analysis Summary

The rapid expansion of artificial intelligence infrastructure has introduced critical security risks, as demonstrated by researchers’ discovery of multiple high-severity Remote Code Execution (RCE) vulnerabilities across major AI frameworks from Meta, NVIDIA, Microsoft, and the PyTorch ecosystem. These flaws collectively named “ShadowMQ” arise from unsafe ZeroMQ (ZMQ) communication channels combined with Python’s pickle deserialization, a dangerous configuration that allows unauthenticated remote code execution. Frameworks impacted include Meta’s Llama Stack, vLLM, SGLang, NVIDIA TensorRT-LLM, Modular Max Server, and Microsoft Sarathi-Serve, with CVSS scores reaching as high.

Researcher investigators traced the origin of the vulnerability to Meta’s Llama Stack in 2024, where they found ZMQ’s recv_pyobj() method being used without authentication or validation. This method automatically deserializes incoming messages via pickle meaning attackers can send malicious payloads to achieve full RCE. After Meta issued a patch (), further analysis revealed that the same insecure code had been copied across multiple AI projects, causing the vulnerability to spread throughout the ecosystem. In several cases, entire source files had been reused with little modification, enabling the CVE-2024-50050 flaw to propagate like a software supply-chain infection.

The affected frameworks power large-scale enterprise AI systems, including GPU clusters handling sensitive model operations, user data, and inference workloads. Organizations relying on SGLang include major global entities such as xAI, NVIDIA, AMD, Intel, Oracle Cloud, LinkedIn, MIT, Stanford, Google Cloud, AWS, and Microsoft Azure. With thousands of exposed ZMQ sockets detected on the public internet and many configured without encryption, authentication, or network isolation attackers could exploit the vulnerabilities to execute code, escalate privileges, exfiltrate proprietary AI models, or deploy cryptominers within production AI pipelines.

While patches have been released for Meta Llama Stack, vLLM, NVIDIA TensorRT-LLM, and Modular Max Server, Microsoft’s Sarathi-Serve remains unpatched and SGLang’s fix is incomplete. Organizations using any of these frameworks should immediately update to secure versions, disable or limit pickle-based deserialization, enforce strict authentication on ZMQ endpoints, and restrict network exposure to internal traffic only. The ShadowMQ case highlights a critical supply-chain weakness in AI development: widespread copy-paste reuse of insecure code, resulting in synchronized vulnerabilities across multiple high-impact AI platforms.

Impact

• Code Execution
• Gain Access
• Privilege Escalation

Indicators of Compromise

CVE

• CVE-2024-50050

Remediation

• Immediately update all affected AI frameworks (Meta Llama Stack, vLLM, NVIDIA TensorRT-LLM, Modular Max Server) to the latest patched versions.
• Avoid using Python pickle with untrusted or external data, especially within ZMQ communication channels.
• Replace recv_pyobj() and similar unsafe ZMQ methods with secure serialization formats such as JSON, MessagePack, or Protocol Buffers.
• Enforce authentication on all ZMQ sockets, using mechanisms like CURVE or TLS to prevent unauthorized remote access.
• Restrict network exposure by isolating ZMQ endpoints behind internal networking, firewalls, or VPN-only access.
• Encrypt all ZMQ communications to prevent interception or tampering of model data and system instructions.
• Implement strict input validation and deserialization controls to prevent execution of malicious payloads.