CVE-2025-48944

Exploit

EPSS 0.09%
Veröffentlicht 30.05.2025 18:38:45
Zuletzt bearbeitet 01.07.2025 20:42:13
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

vLLM is an inference and serving engine for large language models (LLMs). In version 0.8.0 up to but excluding 0.9.0, the vLLM backend used with the /v1/chat/completions OpenAPI endpoint fails to validate unexpected or malformed input in the "pattern" and "type" fields when the tools functionality is invoked. These inputs are not validated before being compiled or parsed, causing a crash of the inference worker with a single request. The worker will remain down until it is restarted. Version 0.9.0 fixes the issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Vllm ≫ Vllm Version >= 0.8.0 < 0.9.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.09%	0.266

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://github.com/vllm-project/vllm/pull/17623

Vendor Advisory

Issue Tracking

https://github.com/vllm-project/vllm/security/advisories/GHSA-vrq3-r879-7m65

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2025-48944

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-48944

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-48944

EUVD