[Security] Serialize using safetensors instead of pickle in Mooncake Pipe (#14228)

Signed-off-by: KuntaiDu <kuntai@uchicago.edu>

[Security] Serialize using safetensors instead of pickle in Mooncake Pipe (#14228)
Signed-off-by: KuntaiDu <kuntai@uchicago.edu>
288ca110 · Kuntai Du · GitHub · c2bd2196 · 288ca110
Unverified Commit 288ca110 authored Mar 04, 2025 by Kuntai Du Committed by GitHub Mar 04, 2025
Show whitespace changes
Inline Side-by-side

Showing with 6 additions and 6 deletions

vllm/distributed/kv_transfer/kv_pipe/mooncake_pipe.py vllm/distributed/kv_transfer/kv_pipe/mooncake_pipe.py +6 -6

No files found.
--- a/vllm/distributed/kv_transfer/kv_pipe/mooncake_pipe.py
+++ b/vllm/distributed/kv_transfer/kv_pipe/mooncake_pipe.py
@@ -2,13 +2,14 @@
 import json
 import os
-import pickle
 from concurrent.futures import ThreadPoolExecutor
 from dataclasses import dataclass
 from typing import Optional, Union
 import torch
 import zmq
+from safetensors.torch import load as safetensors_load
+from safetensors.torch import save as safetensors_save
 from vllm.config import KVTransferConfig
 from vllm.distributed.kv_transfer.kv_pipe.base import KVPipeBase
@@ -237,14 +238,13 @@ class MooncakePipe(KVPipeBase):
        return hash(tensor.data_ptr())
    def _send_impl(self, tensor: torch.Tensor) -> None:
-        """Implement the tensor sending logic."""
+        """Implement the tensor sending logic using safetensors."""
-        value_bytes = pickle.dumps(tensor)
+        self.transfer_engine.send_bytes(safetensors_save({"tensor": tensor}))
-        self.transfer_engine.send_bytes(value_bytes)
    def _recv_impl(self) -> torch.Tensor:
-        """Implement the tensor receiving logic."""
+        """Implement the tensor receiving logic using safetensors."""
        data = self.transfer_engine.recv_bytes()
-        return pickle.loads(data)
+        return safetensors_load(data)["tensor"].to(self.device)
    def send_tensor(self, tensor: Optional[torch.Tensor]) -> None:
        """Send tensor to the target process."""