VulnerableCode Package Details - pkg:pypi/vllm@0.9.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-nctw-rz8h-f3af Aliases: CVE-2026-22773 GHSA-grg2-63fw-f2qr PYSEC-2026-143	vLLM is an inference and serving engine for large language models (LLMs). In versions from 0.6.4 to before 0.12.0, users can crash the vLLM engine serving multimodal models that use the Idefics3 vision model implementation by sending a specially crafted 1x1 pixel image. This causes a tensor dimension mismatch that results in an unhandled runtime error, leading to complete server termination. This issue has been patched in version 0.12.0.	0.12.0 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-za3a-c9m1-jqgz Aliases: CVE-2026-34755 GHSA-pq5c-rjhq-qp7p PYSEC-2026-144	vLLM is an inference and serving engine for large language models (LLMs). From 0.7.0 to before 0.19.0, the VideoMediaIO.load_base64() method at vllm/multimodal/media/video.py splits video/jpeg data URLs by comma to extract individual JPEG frames, but does not enforce a frame count limit. The num_frames parameter (default: 32), which is enforced by the load_bytes() code path, is completely bypassed in the video/jpeg base64 path. An attacker can send a single API request containing thousands of comma-separated base64-encoded JPEG frames, causing the server to decode all frames into memory and crash with OOM. This vulnerability is fixed in 0.19.0.	0.19.0 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-nctw-rz8h-f3af
Aliases:
CVE-2026-22773
GHSA-grg2-63fw-f2qr
PYSEC-2026-143

vLLM is an inference and serving engine for large language models (LLMs). In versions from 0.6.4 to before 0.12.0, users can crash the vLLM engine serving multimodal models that use the Idefics3 vision model implementation by sending a specially crafted 1x1 pixel image. This causes a tensor dimension mismatch that results in an unhandled runtime error, leading to complete server termination. This issue has been patched in version 0.12.0.

0.12.0
Affected by 1 other vulnerability.

VCID-za3a-c9m1-jqgz
Aliases:
CVE-2026-34755
GHSA-pq5c-rjhq-qp7p
PYSEC-2026-144

vLLM is an inference and serving engine for large language models (LLMs). From 0.7.0 to before 0.19.0, the VideoMediaIO.load_base64() method at vllm/multimodal/media/video.py splits video/jpeg data URLs by comma to extract individual JPEG frames, but does not enforce a frame count limit. The num_frames parameter (default: 32), which is enforced by the load_bytes() code path, is completely bypassed in the video/jpeg base64 path. An attacker can send a single API request containing thousands of comma-separated base64-encoded JPEG frames, causing the server to decode all frames into memory and crash with OOM. This vulnerability is fixed in 0.19.0.

0.19.0
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-5ec1-1h6d-tuaq	vLLM is an inference and serving engine for large language models (LLMs). Version 0.8.0 up to but excluding 0.9.0 have a Denial of Service (ReDoS) that causes the vLLM server to crash if an invalid regex was provided while using structured output. This vulnerability is similar to GHSA-6qc9-v4r8-22xg/CVE-2025-48942, but for regex instead of a JSON schema. Version 0.9.0 fixes the issue.	CVE-2025-48943 GHSA-9hcf-v7m4-6m2j PYSEC-2025-55
VCID-e8w2-9rwg-u7ba	vLLM is an inference and serving engine for large language models (LLMs). Prior to version 0.9.0, when a new prompt is processed, if the PageAttention mechanism finds a matching prefix chunk, the prefill process speeds up, which is reflected in the TTFT (Time to First Token). These timing differences caused by matching chunks are significant enough to be recognized and exploited. This issue has been patched in version 0.9.0.	CVE-2025-46570 GHSA-4qjh-9fv9-r85r PYSEC-2025-53
VCID-qake-z4ec-wkdu	vLLM is an inference and serving engine for large language models (LLMs). In versions 0.8.0 up to but excluding 0.9.0, hitting the /v1/completions API with a invalid json_schema as a Guided Param kills the vllm server. This vulnerability is similar GHSA-9hcf-v7m4-6m2j/CVE-2025-48943, but for regex instead of a JSON schema. Version 0.9.0 fixes the issue.	CVE-2025-48942 GHSA-6qc9-v4r8-22xg PYSEC-2025-54
VCID-svzy-7pke-2bdr	vLLM is an inference and serving engine for large language models (LLMs). In versions starting from 0.7.0 to before 0.9.0, in the file vllm/multimodal/hasher.py, the MultiModalHasher class has a security and data integrity issue in its image hashing method. Currently, it serializes PIL.Image.Image objects using only obj.tobytes(), which returns only the raw pixel data, without including metadata such as the image’s shape (width, height, mode). As a result, two images of different sizes (e.g., 30x100 and 100x30) with the same pixel byte sequence could generate the same hash value. This may lead to hash collisions, incorrect cache hits, and even data leakage or security risks. This issue has been patched in version 0.9.0.	CVE-2025-46722 GHSA-c65p-x677-fgj6 PYSEC-2025-43
VCID-ugds-eqgw-fbbz	vLLM, an inference and serving engine for large language models (LLMs), has a Regular Expression Denial of Service (ReDoS) vulnerability in the file `vllm/entrypoints/openai/tool_parsers/pythonic_tool_parser.py` of versions 0.6.4 up to but excluding 0.9.0. The root cause is the use of a highly complex and nested regular expression for tool call detection, which can be exploited by an attacker to cause severe performance degradation or make the service unavailable. The pattern contains multiple nested quantifiers, optional groups, and inner repetitions which make it vulnerable to catastrophic backtracking. Version 0.9.0 contains a patch for the issue.	CVE-2025-48887 PYSEC-2025-50

Vulnerability

Summary

Aliases

VCID-5ec1-1h6d-tuaq

vLLM is an inference and serving engine for large language models (LLMs). Version 0.8.0 up to but excluding 0.9.0 have a Denial of Service (ReDoS) that causes the vLLM server to crash if an invalid regex was provided while using structured output. This vulnerability is similar to GHSA-6qc9-v4r8-22xg/CVE-2025-48942, but for regex instead of a JSON schema. Version 0.9.0 fixes the issue.

CVE-2025-48943
GHSA-9hcf-v7m4-6m2j
PYSEC-2025-55

VCID-e8w2-9rwg-u7ba

vLLM is an inference and serving engine for large language models (LLMs). Prior to version 0.9.0, when a new prompt is processed, if the PageAttention mechanism finds a matching prefix chunk, the prefill process speeds up, which is reflected in the TTFT (Time to First Token). These timing differences caused by matching chunks are significant enough to be recognized and exploited. This issue has been patched in version 0.9.0.

CVE-2025-46570
GHSA-4qjh-9fv9-r85r
PYSEC-2025-53

VCID-qake-z4ec-wkdu

vLLM is an inference and serving engine for large language models (LLMs). In versions 0.8.0 up to but excluding 0.9.0, hitting the /v1/completions API with a invalid json_schema as a Guided Param kills the vllm server. This vulnerability is similar GHSA-9hcf-v7m4-6m2j/CVE-2025-48943, but for regex instead of a JSON schema. Version 0.9.0 fixes the issue.

CVE-2025-48942
GHSA-6qc9-v4r8-22xg
PYSEC-2025-54

VCID-svzy-7pke-2bdr

vLLM is an inference and serving engine for large language models (LLMs). In versions starting from 0.7.0 to before 0.9.0, in the file vllm/multimodal/hasher.py, the MultiModalHasher class has a security and data integrity issue in its image hashing method. Currently, it serializes PIL.Image.Image objects using only obj.tobytes(), which returns only the raw pixel data, without including metadata such as the image’s shape (width, height, mode). As a result, two images of different sizes (e.g., 30x100 and 100x30) with the same pixel byte sequence could generate the same hash value. This may lead to hash collisions, incorrect cache hits, and even data leakage or security risks. This issue has been patched in version 0.9.0.

CVE-2025-46722
GHSA-c65p-x677-fgj6
PYSEC-2025-43

VCID-ugds-eqgw-fbbz

vLLM, an inference and serving engine for large language models (LLMs), has a Regular Expression Denial of Service (ReDoS) vulnerability in the file `vllm/entrypoints/openai/tool_parsers/pythonic_tool_parser.py` of versions 0.6.4 up to but excluding 0.9.0. The root cause is the use of a highly complex and nested regular expression for tool call detection, which can be exploited by an attacker to cause severe performance degradation or make the service unavailable. The pattern contains multiple nested quantifiers, optional groups, and inner repetitions which make it vulnerable to catastrophic backtracking. Version 0.9.0 contains a patch for the issue.

CVE-2025-48887
PYSEC-2025-50

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:24:27.945315+00:00	Pypa Importer	Affected by	VCID-za3a-c9m1-jqgz	https://github.com/pypa/advisory-database/blob/main/vulns/vllm/PYSEC-2026-144.yaml	38.6.0
2026-06-02T04:23:39.310081+00:00	Pypa Importer	Affected by	VCID-nctw-rz8h-f3af	https://github.com/pypa/advisory-database/blob/main/vulns/vllm/PYSEC-2026-143.yaml	38.6.0
2026-06-02T04:23:06.847318+00:00	Pypa Importer	Fixing	VCID-qake-z4ec-wkdu	https://github.com/pypa/advisory-database/blob/main/vulns/vllm/PYSEC-2025-54.yaml	38.6.0
2026-06-02T04:23:06.792042+00:00	Pypa Importer	Fixing	VCID-5ec1-1h6d-tuaq	https://github.com/pypa/advisory-database/blob/main/vulns/vllm/PYSEC-2025-55.yaml	38.6.0
2026-06-02T04:23:06.735305+00:00	Pypa Importer	Fixing	VCID-ugds-eqgw-fbbz	https://github.com/pypa/advisory-database/blob/main/vulns/vllm/PYSEC-2025-50.yaml	38.6.0
2026-06-02T04:23:06.584728+00:00	Pypa Importer	Fixing	VCID-e8w2-9rwg-u7ba	https://github.com/pypa/advisory-database/blob/main/vulns/vllm/PYSEC-2025-53.yaml	38.6.0
2026-06-02T04:23:06.335882+00:00	Pypa Importer	Fixing	VCID-svzy-7pke-2bdr	https://github.com/pypa/advisory-database/blob/main/vulns/vllm/PYSEC-2025-43.yaml	38.6.0