TL;DR: Critical remote code execution flaws in AI inference servers have spread across Meta, NVIDIA, Microsoft, vLLM, SGLang, and Modular because unsafe ZeroMQ plus Python pickle patterns were copied between projects, with thousands of exposed ZMQ sockets seen online, according to Oligo Security. The finding shows that shared code inheritance can turn one deserialization mistake into ecosystem-wide AI infrastructure risk.
NHIMG editorial — based on content published by Oligo Security: ShadowMQ: How Code Reuse Spread Critical Vulnerabilities Across the AI Ecosystem
By the numbers:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
Questions worth separating out
Q: What breaks when AI inference servers use pickle over exposed ZMQ sockets?
A: Exposed ZMQ sockets plus pickle deserialization break the trust boundary between network input and executable code.
Q: Why do copied AI framework patterns increase remote code execution risk?
A: Copied patterns increase risk because insecure runtime logic often travels with the code, not just the feature.
Q: How can security teams tell whether an AI service is too exposed?
A: A service is too exposed when it accepts network traffic on broad interfaces, lacks authentication on internal messaging, or processes untrusted data with executable deserializers.
Practitioner guidance
- Eliminate pickle-based deserialization from exposed inference paths Replace recv_pyobj and similar convenience methods with authenticated, structured message formats that do not execute code during parsing.
- Bind AI services to trusted network interfaces only Avoid tcp://* and other all-interface bindings for inference servers.
- Trace copied code through the AI stack Review where shared inference code was adapted from upstream projects and flag line-for-line reuse of messaging or serialization logic.
What's in the full report
Oligo Security's full research covers the operational detail this post intentionally leaves for the source:
- Exact code lineage examples showing how the vulnerable pattern moved between vLLM, SGLang, TensorRT-LLM, and other frameworks
- Patch timeline and version references for affected projects, including where fixes were incomplete or still pending
- Runtime detection logic for identifying pyzmq, recv_pyobj(), and pickle.loads in active execution paths
- Evidence from live demonstrations showing how the flaw can be triggered in real environments
👉 Read Oligo Security's analysis of ShadowMQ and AI inference RCE →
ShadowMQ and AI inference RCE: what security teams missed?
Explore further
ShadowMQ is a communication-layer trust failure, not just a vulnerability class. The problem is that AI inference systems often treat network-delivered objects as if they were local, trusted state. That assumption fails when unauthenticated sockets and pickle deserialization meet production exposure, because the message boundary becomes an execution boundary. Practitioners should treat this as evidence that runtime trust in AI infrastructure has to be explicit, not implied.
A few things that frame the scale:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes, and as quickly as 9 minutes in some cases, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
- DeepSeek accidentally embedded over 11,000 secrets in its training data and left a database exposed online, revealing more than one million sensitive records including chat histories, backend credentials, and API keys.
A question worth separating out:
Q: What should teams do first after finding unsafe deserialization in an inference stack?
A: Teams should isolate the endpoint, remove unauthenticated object deserialization, and confirm whether the vulnerable path appears in any copied or downstream code. Then they should inventory exposed sockets, review access to connected secrets, and validate that the service cannot pivot into other workloads.
👉 Read our full editorial: ShadowMQ exposes how code reuse spreads AI inference RCE