CVE-2025-59425

Exploit

EPSS 0.46%
Veröffentlicht 07.10.2025 14:15:38
Zuletzt bearbeitet 16.10.2025 18:02:09
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

vLLM is an inference and serving engine for large language models (LLMs). Before version 0.11.0rc2, the API key support in vLLM performs validation using a method that was vulnerable to a timing attack. API key validation uses a string comparison that takes longer the more characters the provided API key gets correct. Data analysis across many attempts could allow an attacker to determine when it finds the next correct character in the key sequence. Deployments relying on vLLM's built-in API key validation are vulnerable to authentication bypass using this technique. Version 0.11.0rc2 fixes the issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Vllm ≫ Vllm Version < 0.11.0

Vllm ≫ Vllm Version0.11.0 Updaterc1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.46%	0.631

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-385 Covert Timing Channel

Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information.

https://github.com/vllm-project/vllm/blob/4b946d693e0af15740e9ca9c0e059d5f333b1083/vllm/entrypoints/openai/api_server.py#L1270-L1274

Product

https://github.com/vllm-project/vllm/commit/ee10d7e6ff5875386c7f136ce8b5f525c8fcef48

Patch

https://github.com/vllm-project/vllm/releases/tag/v0.11.0

Release Notes

https://github.com/vllm-project/vllm/security/advisories/GHSA-wr9h-g72x-mwhm

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2025-59425

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-59425

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-59425

EUVD