| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-737m-tpkz-qffm |
| vulnerability_id |
VCID-737m-tpkz-qffm |
| summary |
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Maliciously constructed statements can lead to hash collisions, resulting in cache reuse, which can interfere with subsequent responses and cause unintended behavior. Prefix caching makes use of Python's built-in hash() function. As of Python 3.12, the behavior of hash(None) has changed to be a predictable constant value. This makes it more feasible that someone could try exploit hash collisions. The impact of a collision would be using cache that was generated using different content. Given knowledge of prompts in use and predictable hashing behavior, someone could intentionally populate the cache using a prompt known to collide with another prompt in use. This issue has been addressed in version 0.7.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-25183, GHSA-rm76-4mrf-v9r8, PYSEC-2025-62
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-737m-tpkz-qffm |
|
| 1 |
| url |
VCID-e8w2-9rwg-u7ba |
| vulnerability_id |
VCID-e8w2-9rwg-u7ba |
| summary |
vLLM is an inference and serving engine for large language models (LLMs). Prior to version 0.9.0, when a new prompt is processed, if the PageAttention mechanism finds a matching prefix chunk, the prefill process speeds up, which is reflected in the TTFT (Time to First Token). These timing differences caused by matching chunks are significant enough to be recognized and exploited. This issue has been patched in version 0.9.0. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-46570, GHSA-4qjh-9fv9-r85r, PYSEC-2025-53
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-e8w2-9rwg-u7ba |
|
| 2 |
| url |
VCID-fxgs-s1vm-8bez |
| vulnerability_id |
VCID-fxgs-s1vm-8bez |
| summary |
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Versions starting from 0.6.5 and prior to 0.8.5, having vLLM integration with mooncake, are vulnerable to remote code execution due to using pickle based serialization over unsecured ZeroMQ sockets. The vulnerable sockets were set to listen on all network interfaces, increasing the likelihood that an attacker is able to reach the vulnerable ZeroMQ sockets to carry out an attack. vLLM instances that do not make use of the mooncake integration are not vulnerable. This issue has been patched in version 0.8.5. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-32444, PYSEC-2025-42
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fxgs-s1vm-8bez |
|
| 3 |
| url |
VCID-k1qz-xe9c-2bg3 |
| vulnerability_id |
VCID-k1qz-xe9c-2bg3 |
| summary |
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. The outlines library is one of the backends used by vLLM to support structured output (a.k.a. guided decoding). Outlines provides an optional cache for its compiled grammars on the local filesystem. This cache has been on by default in vLLM. Outlines is also available by default through the OpenAI compatible API server. The affected code in vLLM is vllm/model_executor/guided_decoding/outlines_logits_processors.py, which unconditionally uses the cache from outlines. A malicious user can send a stream of very short decoding requests with unique schemas, resulting in an addition to the cache for each request. This can result in a Denial of Service if the filesystem runs out of space. Note that even if vLLM was configured to use a different backend by default, it is still possible to choose outlines on a per-request basis using the guided_decoding_backend key of the extra_body field of the request. This issue applies only to the V0 engine and is fixed in 0.8.0. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-29770, GHSA-mgrm-fgjv-mhv8, PYSEC-2025-223
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-k1qz-xe9c-2bg3 |
|
| 4 |
| url |
VCID-nctw-rz8h-f3af |
| vulnerability_id |
VCID-nctw-rz8h-f3af |
| summary |
vLLM is an inference and serving engine for large language models (LLMs). In versions from 0.6.4 to before 0.12.0, users can crash the vLLM engine serving multimodal models that use the Idefics3 vision model implementation by sending a specially crafted 1x1 pixel image. This causes a tensor dimension mismatch that results in an unhandled runtime error, leading to complete server termination. This issue has been patched in version 0.12.0. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-22773, GHSA-grg2-63fw-f2qr, PYSEC-2026-143
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-nctw-rz8h-f3af |
|
| 5 |
| url |
VCID-svzy-7pke-2bdr |
| vulnerability_id |
VCID-svzy-7pke-2bdr |
| summary |
vLLM is an inference and serving engine for large language models (LLMs). In versions starting from 0.7.0 to before 0.9.0, in the file vllm/multimodal/hasher.py, the MultiModalHasher class has a security and data integrity issue in its image hashing method. Currently, it serializes PIL.Image.Image objects using only obj.tobytes(), which returns only the raw pixel data, without including metadata such as the image’s shape (width, height, mode). As a result, two images of different sizes (e.g., 30x100 and 100x30) with the same pixel byte sequence could generate the same hash value. This may lead to hash collisions, incorrect cache hits, and even data leakage or security risks. This issue has been patched in version 0.9.0. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-46722, GHSA-c65p-x677-fgj6, PYSEC-2025-43
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-svzy-7pke-2bdr |
|
| 6 |
| url |
VCID-u659-sd9h-tkf3 |
| vulnerability_id |
VCID-u659-sd9h-tkf3 |
| summary |
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. When vLLM is configured to use Mooncake, unsafe deserialization exposed directly over ZMQ/TCP on all network interfaces will allow attackers to execute remote code on distributed hosts. This is a remote code execution vulnerability impacting any deployments using Mooncake to distribute KV across distributed hosts. This vulnerability is fixed in 0.8.0. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-29783, GHSA-x3m8-f7g5-qhm7, PYSEC-2025-63
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-u659-sd9h-tkf3 |
|
| 7 |
| url |
VCID-ugds-eqgw-fbbz |
| vulnerability_id |
VCID-ugds-eqgw-fbbz |
| summary |
vLLM, an inference and serving engine for large language models (LLMs), has a Regular Expression Denial of Service (ReDoS) vulnerability in the file `vllm/entrypoints/openai/tool_parsers/pythonic_tool_parser.py` of versions 0.6.4 up to but excluding 0.9.0. The root cause is the use of a highly complex and nested regular expression for tool call detection, which can be exploited by an attacker to cause severe performance degradation or make the service unavailable. The pattern contains multiple nested quantifiers, optional groups, and inner repetitions which make it vulnerable to catastrophic backtracking. Version 0.9.0 contains a patch for the issue. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-48887, PYSEC-2025-50
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ugds-eqgw-fbbz |
|
| 8 |
| url |
VCID-w9kt-yaqy-47fb |
| vulnerability_id |
VCID-w9kt-yaqy-47fb |
| summary |
vLLM is a library for LLM inference and serving. vllm/model_executor/weight_utils.py implements hf_model_weights_iterator to load the model checkpoint, which is downloaded from huggingface. It uses the torch.load function and the weights_only parameter defaults to False. When torch.load loads malicious pickle data, it will execute arbitrary code during unpickling. This vulnerability is fixed in v0.7.0. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-24357, GHSA-rh4j-5rhw-hr54, PYSEC-2025-58
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-w9kt-yaqy-47fb |
|
|
|---|