A chain of critical security vulnerabilities has been discovered across some of the world’s most widely used AI inference frameworks, affecting systems operated by Meta, Nvidia, Microsoft, and several major open-source platforms. According to research by Oligo Security, the flaws stem from insecure code that was repeatedly copied across projects, creating a systemic risk within the global AI ecosystem. Researchers traced the vulnerability to unsafe implementations of ZeroMQ messaging combined with Python’s insecure pickle deserialization. The pattern first appeared in Meta’s Llama Stack before proliferating into Nvidia’s TensorRT-LLM, vLLM, SGLang, and the Modular Max Server. Security experts say the issue highlights a rapidly growing problem in AI development: the spread of unsafe legacy code through copy-and-paste reuse that bypasses rigorous security review.
How the ShadowMQ Pattern Spread Across Frameworks
Oligo’s investigation found that a Meta component using ZeroMQ’s recv-pyobj() function was directly feeding incoming data into pickle.loads(), allowing arbitrary code execution if exploited through exposed sockets. Because pickle can run code during deserialization, the combination created a simple path for attackers to remotely execute commands. Developers in other frameworks reused the same logic, sometimes with minimal adaptation and occasionally retaining comments indicating the code had been taken from another repository. Oligo has named this phenomenon the ShadowMQ pattern, describing it as an under-the-radar mechanism by which insecure communication layers quietly migrate between AI projects. The flaw was catalogued as CVE-2024-50050 for Meta’s implementation and later assigned matching CVEs when found in vLLM, TensorRT-LLM, and Modular Max Server. All affected vendors have since released patched versions.
Why This Creates Systemic Risk for AI Infrastructure
The compromised inference servers sit at the core of enterprise AI deployments, running models, processing prompts, and handling sensitive customer workloads. Oligo reported finding thousands of publicly exposed ZeroMQ sockets, including some linked to GPU clusters used for commercial AI services. With access to these endpoints, attackers could potentially execute arbitrary code, steal model weights, deploy GPU-based cryptominers, or pivot deeper into an organization’s cloud environment. The issue is particularly concerning because frameworks such as SGLang are used by leading companies including Intel, AMD, Oracle Cloud, xAI, LinkedIn, and major hyperscalers. Security analysts warn that the widespread reliance on interoperable AI components amplifies supply-chain risk, making a single copied flaw capable of impacting the entire downstream ecosystem.
Vendor Response and Recommended Mitigations
Meta fixed its implementation by replacing pickle deserialization with JSON-based alternatives in Llama Stack v0.0.41. Nvidia patched TensorRT-LLM in version 0.18.2, while vLLM addressed the issue in version 0.8.0 and Modular resolved it in Max Server v25.6. Oligo recommends immediate upgrades to these patched releases to prevent exploitation. Additional guidance includes eliminating pickle for untrusted data, enforcing HMAC or TLS authentication on ZeroMQ communication channels, and educating development teams on the risks of reusing insecure code. Researchers caution that the incident demonstrates how quickly vulnerabilities can propagate when teams replicate design patterns without verifying their security properties. As AI deployment accelerates across industries, securing inference layers is becoming a top priority for enterprises seeking to protect models, workloads, and infrastructure.








