7.5

CVE-2025-48956

vLLM API endpoints vulnerable to Denial of Service Attacks

vLLM is an inference and serving engine for large language models (LLMs). From 0.1.0 to before 0.10.1.1, a Denial of Service (DoS) vulnerability can be triggered by sending a single HTTP GET request with an extremely large header to an HTTP endpoint. This results in server memory exhaustion, potentially leading to a crash or unresponsiveness. The attack does not require authentication, making it exploitable by any remote user. This vulnerability is fixed in 0.10.1.1.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
VllmVllm Version >= 0.1.0 < 0.10.1.1
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.53% 0.404
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

https://github.com/vllm-project/vllm/security/advisories/GHSA-rxc4-3w6r-4v47
Vendor Advisory
https://github.com/vllm-project/vllm/pull/23267
Patch
Issue Tracking
https://github.com/vllm-project/vllm/commit/d8b736f913a59117803d6701521d2e4861701944
Patch