Server-Side Request Forgery (SSRF)

vllm is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to insufficient restrictions on user-supplied URLs in the MediaConnector class’s loadfromurl and loadfromurlasync methods, which allows an attacker to coerce the server into making arbitrary internal network requests...

PT-2025-23226 · Vllm · Vllm

Name of the Vulnerable Software and Affected Versions: vLLM versions 0.8.0 through 0.9.0 Description: The issue arises when the /v1/completions API endpoint is hit with an invalid json schema as a Guided Param, causing the vLLM server to crash. This is similar to a previously known issue but...

PT-2025-23136 · Vllm · Vllm

Name of the Vulnerable Software and Affected Versions: vLLM versions 0.7.0 through 0.8.x Description: The issue concerns a security and data integrity problem in the image hashing method of the MultiModalHasher class. Specifically, the method serializes PIL.Image.Image objects using only...

PT-2025-23228 · Vllm · Vllm

Name of the Vulnerable Software and Affected Versions: vLLM versions 0.8.0 through 0.9.0 Description: The vLLM backend used with the "/v1/chat/completions" API endpoint fails to validate unexpected or malformed input in the pattern and type fields when the tools functionality is invoked. These...

PT-2025-23224 · Vllm · Vllm

Name of the Vulnerable Software and Affected Versions: vLLM versions 0.6.4 through 0.9.0 Description: The issue is a Regular Expression Denial of Service ReDoS vulnerability in the file vllm/entrypoints/openai/tool parsers/pythonic tool parser.py. The root cause is the use of a highly complex and...

PT-2025-23135 · Vllm · Vllm

Name of the Vulnerable Software and Affected Versions: vLLM versions prior to 0.9.0 Description: The issue arises from the prefix caching mechanism in vLLM, which may expose the system to a timing side-channel attack. When a new prompt is processed, if the PageAttention mechanism finds a matching...

Remote Code Execution (RCE)

vLLM is vulnerable to Remote Code Execution RCE. The vulnerability is due to insecure pickle-based serialization over unsecured ZeroMQ sockets that were exposed to all network interfaces, allows insecure pickle-based serialization over unsecured ZeroMQ sockets that were exposed to all network...

PT-2025-11696 · Vllm · Vllm

Name of the Vulnerable Software and Affected Versions: vLLM versions prior to 0.8.0 Description: The issue is related to the outlines library used by vLLM for structured output, which has an optional cache for compiled grammars on the local filesystem. This cache is enabled by default. A maliciou...

CVE-2025-25183 vLLM using built-in hash() from Python 3.12 leads to predictable hash collisions in vLLM prefix cache

vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Maliciously constructed statements can lead to hash collisions, resulting in cache reuse, which can interfere with subsequent responses and cause unintended behavior. Prefix caching makes use of Python's built-i...