simon-mo

2 exploits Active since Aug 2025
CVE-2025-59425 WRITEUP HIGH WRITEUP
vllm < 0.11.0 - Timing Attack via API Key Validation
vLLM is an inference and serving engine for large language models (LLMs). Before version 0.11.0rc2, the API key support in vLLM performs validation using a method that was vulnerable to a timing attack. API key validation uses a string comparison that takes longer the more characters the provided API key gets correct. Data analysis across many attempts could allow an attacker to determine when it finds the next correct character in the key sequence. Deployments relying on vLLM's built-in API key validation are vulnerable to authentication bypass using this technique. Version 0.11.0rc2 fixes the issue.
CVSS 7.5
CVE-2025-48956 WRITEUP HIGH WRITEUP
vLLM 0.1.0-0.10.1.0 - Unauthenticated Denial of Service via Large HTTP Header
vLLM is an inference and serving engine for large language models (LLMs). From 0.1.0 to before 0.10.1.1, a Denial of Service (DoS) vulnerability can be triggered by sending a single HTTP GET request with an extremely large header to an HTTP endpoint. This results in server memory exhaustion, potentially leading to a crash or unresponsiveness. The attack does not require authentication, making it exploitable by any remote user. This vulnerability is fixed in 0.10.1.1.
CVSS 7.5