CVE-2025-46722

EPSS 0.07%
Veröffentlicht 29.05.2025 16:36:12
Zuletzt bearbeitet 30.05.2025 16:31:03
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

vLLM is an inference and serving engine for large language models (LLMs). In versions starting from 0.7.0 to before 0.9.0, in the file vllm/multimodal/hasher.py, the MultiModalHasher class has a security and data integrity issue in its image hashing method. Currently, it serializes PIL.Image.Image objects using only obj.tobytes(), which returns only the raw pixel data, without including metadata such as the image’s shape (width, height, mode). As a result, two images of different sizes (e.g., 30x100 and 100x30) with the same pixel byte sequence could generate the same hash value. This may lead to hash collisions, incorrect cache hits, and even data leakage or security risks. This issue has been patched in version 0.9.0.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellervllm-project

≫

Produkt vllm

Version >= 0.7.0, < 0.9.0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.07%	0.21

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	4.2	1.6	2.5	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:L

CWE-1023 Incomplete Comparison with Missing Factors

The product performs a comparison between entities that must consider multiple factors or characteristics of each entity, but the comparison does not include one or more of these factors.

CWE-1288 Improper Validation of Consistency within Input

The product receives a complex input with multiple elements or fields that must be consistent with each other, but it does not validate or incorrectly validates that the input is actually consistent.

https://github.com/vllm-project/vllm/security/advisories/GHSA-c65p-x677-fgj6

https://github.com/vllm-project/vllm/pull/17378

https://github.com/vllm-project/vllm/commit/99404f53c72965b41558aceb1bc2380875f5d848

https://nvd.nist.gov/vuln/detail/CVE-2025-46722

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-46722

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-46722

EUVD