2.6
CVE-2025-46570
- EPSS 0.25%
- Veröffentlicht 29.05.2025 16:32:42
- Zuletzt bearbeitet 30.05.2025 16:31:03
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
vLLM’s Chunk-Based Prefix Caching Vulnerable to Potential Timing Side-Channel
vLLM is an inference and serving engine for large language models (LLMs). Prior to version 0.9.0, when a new prompt is processed, if the PageAttention mechanism finds a matching prefix chunk, the prefill process speeds up, which is reflected in the TTFT (Time to First Token). These timing differences caused by matching chunks are significant enough to be recognized and exploited. This issue has been patched in version 0.9.0.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Herstellervllm-project
≫
Produkt
vllm
Version
< 0.9.0
Status
affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.25% | 0.159 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 2.6 | 1.2 | 1.4 |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
|
CWE-208 Observable Timing Discrepancy
Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.
https://github.com/vllm-project/vllm/security/advisories/GHSA-4qjh-9fv9-r85r
https://github.com/vllm-project/vllm/pull/17045
https://github.com/vllm-project/vllm/commit/77073c77bc2006eb80ea6d5128f076f5e6c6f54f