vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl: 16 vulnerabilities (highest severity is: 9.8) #52
Description
Vulnerable Library - vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
A high-throughput and memory-efficient inference and serving engine for LLMs
Library home page: https://files.pythonhosted.org/packages/b1/e2/44d0cc777cd8aebac4437fc067b874d48c2a864e1c918cf7337c11195ccc/vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
Path to dependency file: /ai/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/9/vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (vllm version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2024-9053 |  Critical |
9.8 | vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl | Direct | N/A | ❌ |
| CVE-2024-11041 | Critical |
9.8 | vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl | Direct | N/A | ❌ |
| CVE-2025-29783 | Critical |
9.0 | vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl | Direct | 0.8.0 | ❌ |
| CVE-2025-59425 |  High |
7.5 | vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl | Direct | 0.11.0 | ❌ |
| CVE-2025-48956 | High |
7.5 | vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl | Direct | vllm - 0.10.1.1 | ❌ |
| CVE-2025-24357 | High |
7.5 | vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl | Direct | 0.6.6.post1 | ❌ |
| CVE-2024-8768 | High |
7.5 | vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl | Direct | 0.5.5 | ❌ |
| CVE-2026-24779 | High |
7.1 | vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl | Direct | 0.14.1 | ❌ |
| CVE-2025-66448 | High |
7.1 | vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl | Direct | 0.11.1 | ❌ |
| CVE-2026-34756 |  Medium |
6.5 | vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl | Direct | vllm - 0.19.0 | ❌ |
| CVE-2026-22773 | Medium |
6.5 | vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl | Direct | 0.12.0 | ❌ |
| CVE-2025-29770 | Medium |
6.5 | vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl | Direct | 0.8.0 | ❌ |
| CVE-2024-8939 | Medium |
6.2 | vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl | Direct | 0.6.3 | ❌ |
| CVE-2025-46722 | Medium |
4.2 | vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl | Direct | vllm - 0.9.0 | ❌ |
| CVE-2025-46570 |  Low |
2.6 | vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl | Direct | vllm - 0.9.0 | ❌ |
| CVE-2025-25183 | Low |
2.6 | vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl | Direct | 0.7.2 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-9053
Vulnerable Library - vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
A high-throughput and memory-efficient inference and serving engine for LLMs
Library home page: https://files.pythonhosted.org/packages/b1/e2/44d0cc777cd8aebac4437fc067b874d48c2a864e1c918cf7337c11195ccc/vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
Path to dependency file: /ai/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/9/vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
Dependency Hierarchy:
- ❌ vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
vllm-project vllm version 0.6.0 contains a vulnerability in the AsyncEngineRPCServer() RPC server entrypoints. The core functionality run_server_loop() calls the function _make_handler_coro(), which directly uses cloudpickle.loads() on received messages without any sanitization. This can result in remote code execution by deserializing malicious pickle data.
Publish Date: 2025-03-20
URL: CVE-2024-9053
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Step up your Open Source Security Game with Mend here
CVE-2024-11041
Vulnerable Library - vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
A high-throughput and memory-efficient inference and serving engine for LLMs
Library home page: https://files.pythonhosted.org/packages/b1/e2/44d0cc777cd8aebac4437fc067b874d48c2a864e1c918cf7337c11195ccc/vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
Path to dependency file: /ai/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/9/vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
Dependency Hierarchy:
- ❌ vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
vllm-project vllm version v0.6.2 contains a vulnerability in the MessageQueue.dequeue() API function. The function uses pickle.loads to parse received sockets directly, leading to a remote code execution vulnerability. An attacker can exploit this by sending a malicious payload to the MessageQueue, causing the victim's machine to execute arbitrary code.
Publish Date: 2025-03-20
URL: CVE-2024-11041
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Step up your Open Source Security Game with Mend here
CVE-2025-29783
Vulnerable Library - vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
A high-throughput and memory-efficient inference and serving engine for LLMs
Library home page: https://files.pythonhosted.org/packages/b1/e2/44d0cc777cd8aebac4437fc067b874d48c2a864e1c918cf7337c11195ccc/vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
Path to dependency file: /ai/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/9/vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
Dependency Hierarchy:
- ❌ vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. When vLLM is configured to use Mooncake, unsafe deserialization exposed directly over ZMQ/TCP on all network interfaces will allow attackers to execute remote code on distributed hosts. This is a remote code execution vulnerability impacting any deployments using Mooncake to distribute KV across distributed hosts. This vulnerability is fixed in 0.8.0.
Publish Date: 2025-03-19
URL: CVE-2025-29783
CVSS 3 Score Details (9.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-x3m8-f7g5-qhm7
Release Date: 2025-03-19
Fix Resolution: 0.8.0
Step up your Open Source Security Game with Mend here
CVE-2025-59425
Vulnerable Library - vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
A high-throughput and memory-efficient inference and serving engine for LLMs
Library home page: https://files.pythonhosted.org/packages/b1/e2/44d0cc777cd8aebac4437fc067b874d48c2a864e1c918cf7337c11195ccc/vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
Path to dependency file: /ai/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/9/vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
Dependency Hierarchy:
- ❌ vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
vLLM is an inference and serving engine for large language models (LLMs). Before version 0.11.0rc2, the API key support in vLLM performs validation using a method that was vulnerable to a timing attack. API key validation uses a string comparison that takes longer the more characters the provided API key gets correct. Data analysis across many attempts could allow an attacker to determine when it finds the next correct character in the key sequence. Deployments relying on vLLM's built-in API key validation are vulnerable to authentication bypass using this technique. Version 0.11.0rc2 fixes the issue.
Publish Date: 2025-10-07
URL: CVE-2025-59425
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-wr9h-g72x-mwhm
Release Date: 2025-10-07
Fix Resolution: 0.11.0
Step up your Open Source Security Game with Mend here
CVE-2025-48956
Vulnerable Library - vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
A high-throughput and memory-efficient inference and serving engine for LLMs
Library home page: https://files.pythonhosted.org/packages/b1/e2/44d0cc777cd8aebac4437fc067b874d48c2a864e1c918cf7337c11195ccc/vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
Path to dependency file: /ai/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/9/vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
Dependency Hierarchy:
- ❌ vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
vLLM is an inference and serving engine for large language models (LLMs). From 0.1.0 to before 0.10.1.1, a Denial of Service (DoS) vulnerability can be triggered by sending a single HTTP GET request with an extremely large header to an HTTP endpoint. This results in server memory exhaustion, potentially leading to a crash or unresponsiveness. The attack does not require authentication, making it exploitable by any remote user. This vulnerability is fixed in 0.10.1.1.
Publish Date: 2025-08-21
URL: CVE-2025-48956
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-rxc4-3w6r-4v47
Release Date: 2025-08-21
Fix Resolution: vllm - 0.10.1.1
Step up your Open Source Security Game with Mend here
CVE-2025-24357
Vulnerable Library - vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
A high-throughput and memory-efficient inference and serving engine for LLMs
Library home page: https://files.pythonhosted.org/packages/b1/e2/44d0cc777cd8aebac4437fc067b874d48c2a864e1c918cf7337c11195ccc/vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
Path to dependency file: /ai/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/9/vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
Dependency Hierarchy:
- ❌ vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
vLLM is a library for LLM inference and serving. vllm/model_executor/weight_utils.py implements hf_model_weights_iterator to load the model checkpoint, which is downloaded from huggingface. It uses the torch.load function and the weights_only parameter defaults to False. When torch.load loads malicious pickle data, it will execute arbitrary code during unpickling. This vulnerability is fixed in v0.7.0.
Publish Date: 2025-01-27
URL: CVE-2025-24357
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-rh4j-5rhw-hr54
Release Date: 2025-01-27
Fix Resolution: 0.6.6.post1
Step up your Open Source Security Game with Mend here
CVE-2024-8768
Vulnerable Library - vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
A high-throughput and memory-efficient inference and serving engine for LLMs
Library home page: https://files.pythonhosted.org/packages/b1/e2/44d0cc777cd8aebac4437fc067b874d48c2a864e1c918cf7337c11195ccc/vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
Path to dependency file: /ai/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/9/vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
Dependency Hierarchy:
- ❌ vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
A flaw was found in the vLLM library. A completions API request with an empty prompt will crash the vLLM API server, resulting in a denial of service.
Publish Date: 2024-09-17
URL: CVE-2024-8768
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-8768
Release Date: 2024-09-17
Fix Resolution: 0.5.5
Step up your Open Source Security Game with Mend here
CVE-2026-24779
Vulnerable Library - vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
A high-throughput and memory-efficient inference and serving engine for LLMs
Library home page: https://files.pythonhosted.org/packages/b1/e2/44d0cc777cd8aebac4437fc067b874d48c2a864e1c918cf7337c11195ccc/vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
Path to dependency file: /ai/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/9/vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
Dependency Hierarchy:
- ❌ vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
vLLM is an inference and serving engine for large language models (LLMs). Prior to version 0.14.1, a Server-Side Request Forgery (SSRF) vulnerability exists in the "MediaConnector" class within the vLLM project's multimodal feature set. The load_from_url and load_from_url_async methods obtain and process media from URLs provided by users, using different Python parsing libraries when restricting the target host. These two parsing libraries have different interpretations of backslashes, which allows the host name restriction to be bypassed. This allows an attacker to coerce the vLLM server into making arbitrary requests to internal network resources. This vulnerability is particularly critical in containerized environments like "llm-d", where a compromised vLLM pod could be used to scan the internal network, interact with other pods, and potentially cause denial of service or access sensitive data. For example, an attacker could make the vLLM pod send malicious requests to an internal "llm-d" management endpoint, leading to system instability by falsely reporting metrics like the KV cache state. Version 0.14.1 contains a patch for the issue.
Publish Date: 2026-01-27
URL: CVE-2026-24779
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2026-01-27
Fix Resolution: 0.14.1
Step up your Open Source Security Game with Mend here
CVE-2025-66448
Vulnerable Library - vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
A high-throughput and memory-efficient inference and serving engine for LLMs
Library home page: https://files.pythonhosted.org/packages/b1/e2/44d0cc777cd8aebac4437fc067b874d48c2a864e1c918cf7337c11195ccc/vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
Path to dependency file: /ai/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/9/vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
Dependency Hierarchy:
- ❌ vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.11.1, vllm has a critical remote code execution vector in a config class named Nemotron_Nano_VL_Config. When vllm loads a model config that contains an auto_map entry, the config class resolves that mapping with get_class_from_dynamic_module(...) and immediately instantiates the returned class. This fetches and executes Python from the remote repository referenced in the auto_map string. Crucially, this happens even when the caller explicitly sets trust_remote_code=False in vllm.transformers_utils.config.get_config. In practice, an attacker can publish a benign-looking frontend repo whose config.json points via auto_map to a separate malicious backend repo; loading the frontend will silently run the backend’s code on the victim host. This vulnerability is fixed in 0.11.1.
Publish Date: 2025-12-01
URL: CVE-2025-66448
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2025-12-01
Fix Resolution: 0.11.1
Step up your Open Source Security Game with Mend here
CVE-2026-34756
Vulnerable Library - vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
A high-throughput and memory-efficient inference and serving engine for LLMs
Library home page: https://files.pythonhosted.org/packages/b1/e2/44d0cc777cd8aebac4437fc067b874d48c2a864e1c918cf7337c11195ccc/vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
Path to dependency file: /ai/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/9/vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
Dependency Hierarchy:
- ❌ vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Summary A Denial of Service vulnerability exists in the vLLM OpenAI-compatible API server. Due to the lack of an upper bound validation on the "n" parameter in the "ChatCompletionRequest" and "CompletionRequest" Pydantic models, an unauthenticated attacker can send a single HTTP request with an astronomically large "n" value. This completely blocks the Python "asyncio" event loop and causes immediate Out-Of-Memory crashes by allocating millions of request object copies in the heap before the request even reaches the scheduling queue. Details The root cause of this vulnerability lies in the missing upper bound checks across the request parsing and asynchronous scheduling layers: 1. Protocol Layer: In "vllm/entrypoints/openai/chat_completion/protocol.py", the "n" parameter is defined simply as an integer without any "pydantic.Field" constraints for an upper bound. class ChatCompletionRequest(OpenAIBaseModel): Ordered by official OpenAI API documentation https://platform.openai.com/docs/api/reference/chat/create messages: list[ChatCompletionMessageParam] model: str | None = None frequency_penalty: float | None = 0.0 logit_bias: dict[str, float] | None = None logprobs: bool | None = False top_logprobs: int | None = 0 max_tokens: int | None = Field( default=None, deprecated="max_tokens is deprecated in favor of " "the max_completion_tokens field", ) max_completion_tokens: int | None = None n: int | None = 1 presence_penalty: float | None = 0.0 2. SamplingParams Layer (Incomplete Validation): When the API request is converted to internal "SamplingParams" in "vllm/sampling_params.py", the "_verify_args" method only checks the lower bound ("self.n < 1"), entirely omitting an upper bounds check. def _verify_args(self) -> None: if not isinstance(self.n, int): raise ValueError(f"n must be an int, but is of type {type(self.n)}") if self.n < 1: raise ValueError(f"n must be at least 1, got {self.n}.") 3. Engine Layer (The OOM Trigger): When the malicious request reaches the core engine ("vllm/v1/engine/async_llm.py"), the engine attempts to fan out the request "n" times to generate identical independent sequences within a synchronous loop. # Fan out child requests (for n>1). parent_request = ParentRequest(request) for idx in range(parent_params.n): request_id, child_params = parent_request.get_child_info(idx) child_request = request if idx == parent_params.n - 1 else copy(request) child_request.request_id = request_id child_request.sampling_params = child_params await self._add_request( child_request, prompt_text, parent_request, idx, queue ) return queue Because Python's "asyncio" runs on a single thread and event loop, this monolithic "for"-loop monopolizes the CPU thread. The server stops responding to all other connections (including liveness probes). Simultaneously, the memory allocator is overwhelmed by cloning millions of request object instances via "copy(request)", driving the host's Resident Set Size (RSS) up by gigabytes per second until the OS "OOM-killer" terminates the vLLM process. Impact Vulnerability Type: Resource Exhaustion / Denial of Service Impacted Parties: - Any individual or organization hosting a public-facing vLLM API server ("vllm.entrypoints.openai.api_server"), which happens to be the primary entrypoint for OpenAI-compatible setups. - SaaS / AI-as-a-Service platforms acting as reverse proxies sitting in front of vLLM without strict HTTP body payload validation or rate limitations. Because this vulnerability exploits the control plane rather than the data plane, an unauthenticated remote attacker can achieve a high success rate in taking down production inference hosts with a single HTTP request. This effectively circumvents any hardware-level capacity planning and conventional bandwidth stress limitations.
Publish Date: 2026-04-03
URL: CVE-2026-34756
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-3mwp-wvh9-7528
Release Date: 2026-04-03
Fix Resolution: vllm - 0.19.0
Step up your Open Source Security Game with Mend here
CVE-2026-22773
Vulnerable Library - vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
A high-throughput and memory-efficient inference and serving engine for LLMs
Library home page: https://files.pythonhosted.org/packages/b1/e2/44d0cc777cd8aebac4437fc067b874d48c2a864e1c918cf7337c11195ccc/vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
Path to dependency file: /ai/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/9/vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
Dependency Hierarchy:
- ❌ vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
vLLM is an inference and serving engine for large language models (LLMs). In versions from 0.6.4 to before 0.12.0, users can crash the vLLM engine serving multimodal models that use the Idefics3 vision model implementation by sending a specially crafted 1x1 pixel image. This causes a tensor dimension mismatch that results in an unhandled runtime error, leading to complete server termination. This issue has been patched in version 0.12.0.
Publish Date: 2026-01-10
URL: CVE-2026-22773
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-grg2-63fw-f2qr
Release Date: 2026-01-10
Fix Resolution: 0.12.0
Step up your Open Source Security Game with Mend here
CVE-2025-29770
Vulnerable Library - vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
A high-throughput and memory-efficient inference and serving engine for LLMs
Library home page: https://files.pythonhosted.org/packages/b1/e2/44d0cc777cd8aebac4437fc067b874d48c2a864e1c918cf7337c11195ccc/vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
Path to dependency file: /ai/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/9/vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
Dependency Hierarchy:
- ❌ vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. The outlines library is one of the backends used by vLLM to support structured output (a.k.a. guided decoding). Outlines provides an optional cache for its compiled grammars on the local filesystem. This cache has been on by default in vLLM. Outlines is also available by default through the OpenAI compatible API server. The affected code in vLLM is vllm/model_executor/guided_decoding/outlines_logits_processors.py, which unconditionally uses the cache from outlines. A malicious user can send a stream of very short decoding requests with unique schemas, resulting in an addition to the cache for each request. This can result in a Denial of Service if the filesystem runs out of space. Note that even if vLLM was configured to use a different backend by default, it is still possible to choose outlines on a per-request basis using the guided_decoding_backend key of the extra_body field of the request. This issue applies only to the V0 engine and is fixed in 0.8.0.
Publish Date: 2025-03-19
URL: CVE-2025-29770
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-mgrm-fgjv-mhv8
Release Date: 2025-03-19
Fix Resolution: 0.8.0
Step up your Open Source Security Game with Mend here
CVE-2024-8939
Vulnerable Library - vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
A high-throughput and memory-efficient inference and serving engine for LLMs
Library home page: https://files.pythonhosted.org/packages/b1/e2/44d0cc777cd8aebac4437fc067b874d48c2a864e1c918cf7337c11195ccc/vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
Path to dependency file: /ai/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/9/vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
Dependency Hierarchy:
- ❌ vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
A vulnerability was found in the ilab model serve component, where improper handling of the best_of parameter in the vllm JSON web API can lead to a Denial of Service (DoS). The API used for LLM-based sentence or chat completion accepts a best_of parameter to return the best completion from several options. When this parameter is set to a large value, the API does not handle timeouts or resource exhaustion properly, allowing an attacker to cause a DoS by consuming excessive system resources. This leads to the API becoming unresponsive, preventing legitimate users from accessing the service.
Publish Date: 2024-09-17
URL: CVE-2024-8939
CVSS 3 Score Details (6.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2024-09-17
Fix Resolution: 0.6.3
Step up your Open Source Security Game with Mend here
CVE-2025-46722
Vulnerable Library - vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
A high-throughput and memory-efficient inference and serving engine for LLMs
Library home page: https://files.pythonhosted.org/packages/b1/e2/44d0cc777cd8aebac4437fc067b874d48c2a864e1c918cf7337c11195ccc/vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
Path to dependency file: /ai/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/9/vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
Dependency Hierarchy:
- ❌ vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
vLLM is an inference and serving engine for large language models (LLMs). In versions starting from 0.7.0 to before 0.9.0, in the file vllm/multimodal/hasher.py, the MultiModalHasher class has a security and data integrity issue in its image hashing method. Currently, it serializes PIL.Image.Image objects using only obj.tobytes(), which returns only the raw pixel data, without including metadata such as the image’s shape (width, height, mode). As a result, two images of different sizes (e.g., 30x100 and 100x30) with the same pixel byte sequence could generate the same hash value. This may lead to hash collisions, incorrect cache hits, and even data leakage or security risks. This issue has been patched in version 0.9.0.
Publish Date: 2025-05-29
URL: CVE-2025-46722
CVSS 3 Score Details (4.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-c65p-x677-fgj6
Release Date: 2025-05-28
Fix Resolution: vllm - 0.9.0
Step up your Open Source Security Game with Mend here
CVE-2025-46570
Vulnerable Library - vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
A high-throughput and memory-efficient inference and serving engine for LLMs
Library home page: https://files.pythonhosted.org/packages/b1/e2/44d0cc777cd8aebac4437fc067b874d48c2a864e1c918cf7337c11195ccc/vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
Path to dependency file: /ai/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/9/vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
Dependency Hierarchy:
- ❌ vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
vLLM is an inference and serving engine for large language models (LLMs). Prior to version 0.9.0, when a new prompt is processed, if the PageAttention mechanism finds a matching prefix chunk, the prefill process speeds up, which is reflected in the TTFT (Time to First Token). These timing differences caused by matching chunks are significant enough to be recognized and exploited. This issue has been patched in version 0.9.0.
Publish Date: 2025-05-29
URL: CVE-2025-46570
CVSS 3 Score Details (2.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-4qjh-9fv9-r85r
Release Date: 2025-05-28
Fix Resolution: vllm - 0.9.0
Step up your Open Source Security Game with Mend here
CVE-2025-25183
Vulnerable Library - vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
A high-throughput and memory-efficient inference and serving engine for LLMs
Library home page: https://files.pythonhosted.org/packages/b1/e2/44d0cc777cd8aebac4437fc067b874d48c2a864e1c918cf7337c11195ccc/vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
Path to dependency file: /ai/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/9/vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl
Dependency Hierarchy:
- ❌ vllm-0.3.3-cp39-cp39-manylinux1_x86_64.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Maliciously constructed statements can lead to hash collisions, resulting in cache reuse, which can interfere with subsequent responses and cause unintended behavior. Prefix caching makes use of Python's built-in hash() function. As of Python 3.12, the behavior of hash(None) has changed to be a predictable constant value. This makes it more feasible that someone could try exploit hash collisions. The impact of a collision would be using cache that was generated using different content. Given knowledge of prompts in use and predictable hashing behavior, someone could intentionally populate the cache using a prompt known to collide with another prompt in use. This issue has been addressed in version 0.7.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2025-02-07
URL: CVE-2025-25183
CVSS 3 Score Details (2.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-rm76-4mrf-v9r8
Release Date: 2025-02-07
Fix Resolution: 0.7.2
Step up your Open Source Security Game with Mend here