Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-nhwm-kq25-t3dt

Summary

vLLM vulnerable to DoS via large Chat Completion or Tokenization requests with specially crafted `chat_template_kwargs`
The /v1/chat/completions and /tokenize endpoints allow a `chat_template_kwargs` request parameter that is used in the code before it is properly validated against the chat template. With the right `chat_template_kwargs` parameters, it is possible to block processing of the API server for long periods of time, delaying all other requests

Aliases

alias	CVE-2025-62426

alias	GHSA-69j4-grxj-j64p

Fixed_packages

url pkg:pypi/vllm@0.11.1

purl pkg:pypi/vllm@0.11.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-nctw-rz8h-f3af

vulnerability	VCID-za3a-c9m1-jqgz

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/vllm@0.11.1

Affected_packages

url pkg:pypi/vllm@0.5.5

purl pkg:pypi/vllm@0.5.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-737m-tpkz-qffm

vulnerability	VCID-e8w2-9rwg-u7ba

vulnerability	VCID-f8nw-x5ug-kfh7

vulnerability	VCID-k1qz-xe9c-2bg3

vulnerability	VCID-nhwm-kq25-t3dt

vulnerability	VCID-svzy-7pke-2bdr

vulnerability	VCID-w9kt-yaqy-47fb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/vllm@0.5.5

References

reference_url	https://github.com/vllm-project/vllm
reference_id
reference_type
scores
url	https://github.com/vllm-project/vllm

reference_url	https://github.com/vllm-project/vllm/blob/2a6dc67eb520ddb9c4138d8b35ed6fe6226997fb/vllm/entrypoints/chat_utils.py#L1602-L1610
reference_id
reference_type
scores
url	https://github.com/vllm-project/vllm/blob/2a6dc67eb520ddb9c4138d8b35ed6fe6226997fb/vllm/entrypoints/chat_utils.py#L1602-L1610

reference_url	https://github.com/vllm-project/vllm/blob/2a6dc67eb520ddb9c4138d8b35ed6fe6226997fb/vllm/entrypoints/openai/serving_engine.py#L809-L814
reference_id
reference_type
scores
url	https://github.com/vllm-project/vllm/blob/2a6dc67eb520ddb9c4138d8b35ed6fe6226997fb/vllm/entrypoints/openai/serving_engine.py#L809-L814

reference_url	https://github.com/vllm-project/vllm/commit/3ada34f9cb4d1af763fdfa3b481862a93eb6bd2b
reference_id
reference_type
scores
url	https://github.com/vllm-project/vllm/commit/3ada34f9cb4d1af763fdfa3b481862a93eb6bd2b

reference_url	https://github.com/vllm-project/vllm/pull/27205
reference_id
reference_type
scores
url	https://github.com/vllm-project/vllm/pull/27205

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2025-62426
reference_id	CVE-2025-62426
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2025-62426

reference_url	https://github.com/advisories/GHSA-69j4-grxj-j64p
reference_id	GHSA-69j4-grxj-j64p
reference_type
scores
url	https://github.com/advisories/GHSA-69j4-grxj-j64p

reference_url	https://github.com/vllm-project/vllm/security/advisories/GHSA-69j4-grxj-j64p
reference_id	GHSA-69j4-grxj-j64p
reference_type
scores
url	https://github.com/vllm-project/vllm/security/advisories/GHSA-69j4-grxj-j64p

Weaknesses

cwe_id	770
name	Allocation of Resources Without Limits or Throttling
description	The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

Exploits

Severity_range_score null

Exploitability null

Weighted_severity null

Risk_score null

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nhwm-kq25-t3dt

Vulnerability Instance