CVE-2025-48942

EPSS 0.45%
Veröffentlicht 30.05.2025 18:33:40
Zuletzt bearbeitet 02.06.2025 17:32:17
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

vLLM DOS: Remotely kill vllm over http with invalid JSON schema

vLLM is an inference and serving engine for large language models (LLMs). In versions 0.8.0 up to but excluding 0.9.0, hitting the  /v1/completions API with a invalid json_schema as a Guided Param kills the vllm server. This vulnerability is similar GHSA-9hcf-v7m4-6m2j/CVE-2025-48943, but for regex instead of a JSON schema. Version 0.9.0 fixes the issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellervllm-project

≫

Produkt vllm

Version >= 0.8.0, < 0.9.0

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.45%	0.359

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-248 Uncaught Exception

An exception is thrown from a function, but it is not caught.

https://github.com/vllm-project/vllm/security/advisories/GHSA-6qc9-v4r8-22xg

https://github.com/vllm-project/vllm/issues/17248

https://github.com/vllm-project/vllm/pull/17623

https://github.com/vllm-project/vllm/commit/08bf7840780980c7568c573c70a6a8db94fd45ff

https://nvd.nist.gov/vuln/detail/CVE-2025-48942

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-48942

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-48942

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-48942