CVE-2025-46570

EPSS 0.03%
Veröffentlicht 29.05.2025 16:32:42
Zuletzt bearbeitet 30.05.2025 16:31:03
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

vLLM is an inference and serving engine for large language models (LLMs). Prior to version 0.9.0, when a new prompt is processed, if the PageAttention mechanism finds a matching prefix chunk, the prefill process speeds up, which is reflected in the TTFT (Time to First Token). These timing differences caused by matching chunks are significant enough to be recognized and exploited. This issue has been patched in version 0.9.0.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellervllm-project

≫

Produkt vllm

Version < 0.9.0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.084

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	2.6	1.2	1.4	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

CWE-208 Observable Timing Discrepancy

Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

https://github.com/vllm-project/vllm/security/advisories/GHSA-4qjh-9fv9-r85r

https://github.com/vllm-project/vllm/pull/17045

https://github.com/vllm-project/vllm/commit/77073c77bc2006eb80ea6d5128f076f5e6c6f54f

https://nvd.nist.gov/vuln/detail/CVE-2025-46570

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-46570

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-46570

EUVD