contributors to the vLLM project

2 exploits Active since Oct 2025

CVE-2025-59425 WRITEUP HIGH WRITEUP

vllm < 0.11.0 - Timing Attack via API Key Validation

vLLM is an inference and serving engine for large language models (LLMs). Before version 0.11.0rc2, the API key support in vLLM performs validation using a method that was vulnerable to a timing attack. API key validation uses a string comparison that takes longer the more characters the provided API key gets correct. Data analysis across many attempts could allow an attacker to determine when it finds the next correct character in the key sequence. Deployments relying on vLLM's built-in API key validation are vulnerable to authentication bypass using this technique. Version 0.11.0rc2 fixes the issue.

CVSS 7.5

View Code

CVE-2025-62426 WRITEUP MEDIUM WRITEUP

vLLM 0.5.5-0.11.1 - Denial of Service via Unvalidated chat_template_kwargs Parameter

vLLM is an inference and serving engine for large language models (LLMs). From version 0.5.5 to before 0.11.1, the /v1/chat/completions and /tokenize endpoints allow a chat_template_kwargs request parameter that is used in the code before it is properly validated against the chat template. With the right chat_template_kwargs parameters, it is possible to block processing of the API server for long periods of time, delaying all other requests. This issue has been patched in version 0.11.1.

CVSS 6.5

View Code