CVE-2025-62372

MEDIUM

Vllm < 0.11.1 - Improper Array Index Validation

Title source: rule

Description

vLLM is an inference and serving engine for large language models (LLMs). From version 0.5.5 to before 0.11.1, users can crash the vLLM engine serving multimodal models by passing multimodal embedding inputs with correct ndim but incorrect shape (e.g. hidden dimension is wrong), regardless of whether the model is intended to support such inputs (as defined in the Supported Models page). This issue has been patched in version 0.11.1.

References (4)

[Mitigation, Vendor Advisory] https://github.com/vllm-project/vllm/security/advisories/GHSA-pmqf-x6x8-p7qw

[Issue Tracking, Patch, Vendor Advisory] https://github.com/vllm-project/vllm/pull/27204

[Issue Tracking] https://github.com/vllm-project/vllm/pull/6613

[Patch] https://github.com/vllm-project/vllm/commit/58fab50d82838d5014f4a14d991fdb9352c9c84b

View Patch ZIP pw:eip

Scores

CVSS v3 6.5

EPSS 0.0009

EPSS Percentile 25.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-129

Status published

Products (3)

pypi/vllm 0.5.5 - 0.11.1PyPI

vllm/vllm 0.11.1 rc0 (2 CPE variants)

vllm/vllm 0.5.5 - 0.11.1

Published Nov 21, 2025

Tracked Since Feb 18, 2026