By NHI Mgmt Group Editorial TeamPublished 2025-11-13Domain: Breaches & IncidentsSource: Oligo Security

TL;DR: Critical remote code execution flaws in AI inference servers have spread across Meta, NVIDIA, Microsoft, vLLM, SGLang, and Modular because unsafe ZeroMQ plus Python pickle patterns were copied between projects, with thousands of exposed ZMQ sockets seen online, according to Oligo Security. The finding shows that shared code inheritance can turn one deserialization mistake into ecosystem-wide AI infrastructure risk.


At a glance

What this is: ShadowMQ is Oligo Security's analysis of how unsafe ZeroMQ and Python pickle patterns propagated remote code execution risk across major AI inference servers.

Why it matters: It matters because AI platform teams often inherit the same machine identity, network exposure, and runtime trust assumptions across stacks, so one copied flaw can become many production attack paths.

By the numbers:

👉 Read Oligo Security's analysis of ShadowMQ and AI inference RCE


Context

ShadowMQ is a software reuse problem that becomes an identity and access problem when inference servers accept untrusted data over exposed network sockets. In plain terms, a convenience serialization path can turn into remote code execution if it assumes the caller is trustworthy when the network is not.

For AI platform and IAM teams, the issue is not just whether a single framework has a bug. It is whether shared libraries, inherited defaults, and open sockets create a reusable attack surface across the AI stack, especially where service identities and runtime trust are already loosely controlled.


Key questions

Q: What breaks when AI inference servers use pickle over exposed ZMQ sockets?

A: Exposed ZMQ sockets plus pickle deserialization break the trust boundary between network input and executable code. A remote caller can supply data that is interpreted as objects, not just bytes, which can lead to remote code execution. The practical result is that one exposed service can become a bridge into models, secrets, and adjacent systems.

Q: Why do copied AI framework patterns increase remote code execution risk?

A: Copied patterns increase risk because insecure runtime logic often travels with the code, not just the feature. When maintainers adapt messaging or serialization code without re-evaluating the security model, the same flaw can appear in multiple projects. That creates ecosystem-wide exposure from a single design mistake.

Q: How can security teams tell whether an AI service is too exposed?

A: A service is too exposed when it accepts network traffic on broad interfaces, lacks authentication on internal messaging, or processes untrusted data with executable deserializers. The most useful signal is whether a compromise of one node could reach model assets, secrets, or internal services without additional barriers.

Q: What should teams do first after finding unsafe deserialization in an inference stack?

A: Teams should isolate the endpoint, remove unauthenticated object deserialization, and confirm whether the vulnerable path appears in any copied or downstream code. Then they should inventory exposed sockets, review access to connected secrets, and validate that the service cannot pivot into other workloads.


Technical breakdown

Unsafe deserialization in ZMQ endpoints

ZeroMQ is a messaging layer, but the risk comes from how applications use it. In these frameworks, recv_pyobj() deserialised incoming messages with Python pickle, which can execute arbitrary code during loading. When that path is exposed over unauthenticated TCP sockets, the application is effectively asking the network to send executable objects. This is not a model issue or an AI prompt issue. It is a runtime trust boundary failure in the communication layer, where convenience serialization replaces authenticated message handling.

Practical implication: remove pickle-based message handling from any exposed inference path and require authenticated, structured serialization instead.

Code reuse turns one flaw into many

ShadowMQ is the pattern, not the bug. The same unsafe deserialization logic reappeared in multiple projects because code was copied, adapted, or inherited with minimal security review. That creates a supply-chain style propagation path inside the AI ecosystem, where a single insecure pattern survives versioning, maintainership changes, and framework boundaries. The security problem is amplified because these systems are often deployed as shared infrastructure, so the same mistake can land in many clusters and environments before it is recognised as common lineage.

Practical implication: trace code provenance for shared AI components and treat copied runtime primitives as inherited risk until reviewed.

Exposed inference servers enlarge the blast radius

Inference servers often sit close to model data, prompts, secrets, and internal services, so a successful RCE is rarely limited to one process. Once arbitrary code runs, an attacker can pivot to adjacent workloads, steal tokens, manipulate model outputs, or plant cryptominers. The key architectural issue is not only code execution but placement: public exposure plus high-value internal connectivity creates a large blast radius. That is why unauthenticated sockets and weak network binding choices are so dangerous in AI infrastructure.

Practical implication: restrict inference endpoints to trusted networks, add authentication, and assume a single exposed node can become a cluster-wide incident.


Threat narrative

Attacker objective: The attacker aims to turn a single exposed inference service into durable code execution and downstream access to AI infrastructure assets.

  1. Entry occurs through an exposed ZMQ endpoint that accepts untrusted traffic from the public internet.
  2. Credential access is replaced here by unsafe deserialization, where pickle loads attacker-controlled content into executable code.
  3. Escalation follows when arbitrary code execution on the inference server is used to pivot into adjacent systems, model assets, or secrets.
  4. Impact includes cluster compromise, model or secret exfiltration, and the possibility of cryptomining or broader operational disruption.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

ShadowMQ is a communication-layer trust failure, not just a vulnerability class. The problem is that AI inference systems often treat network-delivered objects as if they were local, trusted state. That assumption fails when unauthenticated sockets and pickle deserialization meet production exposure, because the message boundary becomes an execution boundary. Practitioners should treat this as evidence that runtime trust in AI infrastructure has to be explicit, not implied.

Code reuse has created an inheritance model for insecure AI infrastructure. The same unsafe primitive can move from one framework to another with line-for-line fidelity, which means security review must follow provenance, not just package version. This is why common AI stack dependencies need security lineage analysis, especially when maintainers borrow performance code from peer projects. The practitioner conclusion is that inherited code paths require inherited scrutiny.

ShadowMQ shows that AI platform blast radius is determined as much by network exposure as by code quality. A single deserialization bug matters far more when the affected service is reachable from the internet and connected to model data or internal services. That makes endpoint placement, socket binding, and authentication part of identity governance for machine workloads. Teams need to judge AI services by where they sit in the trust graph, not only by whether they are patched.

Model-serving infrastructure now behaves like shared identity infrastructure, so least privilege must extend to service endpoints. The practical lesson is that AI inference is not isolated compute. It is a governed runtime with its own access boundaries, and those boundaries fail when unauthenticated code paths can invoke privileged behavior. Security teams should fold AI runtime exposure into the same review discipline they use for workload identity and privileged service accounts.

ShadowMQ is a named example of hidden communication-layer propagation across the AI stack. The useful concept is not merely vulnerable serialization, but copied trust assumptions that survive framework reuse. That is the pattern practitioners should look for in modern AI infrastructure: the bug is local, the governance failure is systemic. The conclusion is to inspect shared primitives as if they were part of the identity plane.

From our research:

  • When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes, and as quickly as 9 minutes in some cases, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
  • DeepSeek accidentally embedded over 11,000 secrets in its training data and left a database exposed online, revealing more than one million sensitive records including chat histories, backend credentials, and API keys.
  • That same speed of exploitation is why teams should pair exposure reduction with deeper guidance in AI LLM hijack breach when runtime AI systems expose credentials or open sockets.

What this signals

ShadowMQ creates a new category of AI runtime exposure that identity teams cannot treat as ordinary code quality debt. Once a framework accepts untrusted objects over a network socket, the question becomes who or what is allowed to execute inside the service boundary. That pushes AI infrastructure closer to workload identity governance than traditional AppSec, especially when the same code path is reused across clusters and providers.

The strongest programme response is to treat shared inference components as governed runtime assets rather than application libraries. That means exposure mapping, provenance review, and service boundary control belong in the same operational conversation, because copied messaging code can silently expand the blast radius of a single defect.

With 70% of organisations already granting AI systems more access than they would give a human employee performing the exact same job, per the 2026 Infrastructure Identity Survey, the security gap is not theoretical. It shows up when teams let AI services inherit permissive network reach and assume the runtime will stay benign.


For practitioners

  • Eliminate pickle-based deserialization from exposed inference paths Replace recv_pyobj and similar convenience methods with authenticated, structured message formats that do not execute code during parsing. Treat any network-facing pickle usage as a security defect, not a coding style choice.
  • Bind AI services to trusted network interfaces only Avoid tcp://* and other all-interface bindings for inference servers. Restrict exposure to specific interfaces, front them with authentication, and verify that public scanning cannot reach production sockets.
  • Trace copied code through the AI stack Review where shared inference code was adapted from upstream projects and flag line-for-line reuse of messaging or serialization logic. Provenance review should be part of secure code intake for AI platform components.
  • Add runtime detection for ZMQ plus pickle combinations Instrument production environments to detect when pyzmq, recv_pyobj, and pickle.loads appear together in the same execution path. Use that signal to prioritise exposure assessment and incident response.

Key takeaways

  • ShadowMQ shows that insecure deserialization in AI inference servers is a shared runtime trust problem, not a one-off framework bug.
  • The exposure was broad enough to affect multiple major AI projects and thousands of public ZMQ sockets, which turns one coding pattern into ecosystem risk.
  • Teams should remove executable deserialization, constrain network exposure, and review copied inference code as part of AI workload governance.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-01Exposed service endpoints and unsafe deserialization map to NHI trust boundary failures.
NIST CSF 2.0PR.AC-3Authentication on messaging endpoints is central to limiting unauthorised access.
NIST Zero Trust (SP 800-207)AC-4Zero Trust segmentation applies to public inference endpoints and internal pivot risk.

Inventory exposed AI services and remove any network-facing executable deserialization.


Key terms

  • Unsafe Deserialization: Unsafe deserialization occurs when software turns incoming data into executable objects without sufficient validation. In AI infrastructure, that becomes dangerous when a network message can trigger code execution instead of being handled as inert input. The risk is highest where convenience APIs hide the trust boundary.
  • Inference Server: An inference server is the runtime service that accepts prompts or requests and returns model outputs. In practice, it often sits close to sensitive data, internal services, and deployment credentials, which means its attack surface is larger than a simple application endpoint.
  • Runtime Trust Boundary: A runtime trust boundary is the point where a service decides whether external input is safe to process as privileged behavior. When that boundary is weak, the system may treat untrusted network data as if it were local, authenticated state, which can lead to code execution or lateral movement.
  • Code Provenance: Code provenance is the lineage of software components and the paths by which code moves between projects. For security teams, provenance matters because copied logic can import hidden assumptions, unsafe defaults, and exploitable patterns that survive across repositories and maintainers.

What's in the full report

Oligo Security's full research covers the operational detail this post intentionally leaves for the source:

  • Exact code lineage examples showing how the vulnerable pattern moved between vLLM, SGLang, TensorRT-LLM, and other frameworks
  • Patch timeline and version references for affected projects, including where fixes were incomplete or still pending
  • Runtime detection logic for identifying pyzmq, recv_pyobj(), and pickle.loads in active execution paths
  • Evidence from live demonstrations showing how the flaw can be triggered in real environments

👉 The full Oligo Security report covers code reuse patterns, exposed socket findings, and remediation details

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance maturity in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2025-11-13.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org