CVE-2025-62426

EPSS 0.32%
Veröffentlicht 21.11.2025 01:21:29
Zuletzt bearbeitet 04.12.2025 17:42:10
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

vLLM vulnerable to DoS via large Chat Completion or Tokenization requests with specially crafted `chat_template_kwargs`

vLLM is an inference and serving engine for large language models (LLMs). From version 0.5.5 to before 0.11.1, the /v1/chat/completions and /tokenize endpoints allow a chat_template_kwargs request parameter that is used in the code before it is properly validated against the chat template. With the right chat_template_kwargs parameters, it is possible to block processing of the API server for long periods of time, delaying all other requests. This issue has been patched in version 0.11.1.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 8

NVD 3 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Vllm ≫ Vllm Version >= 0.5.5 < 0.11.1

Vllm ≫ Vllm Version0.11.1 Updaterc0

Vllm ≫ Vllm Version0.11.1 Updaterc1

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.32%	0.234

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

https://github.com/vllm-project/vllm/security/advisories/GHSA-69j4-grxj-j64p

Vendor Advisory

https://github.com/vllm-project/vllm/pull/27205

Issue Tracking

https://github.com/vllm-project/vllm/commit/3ada34f9cb4d1af763fdfa3b481862a93eb6bd2b

Patch

https://github.com/vllm-project/vllm/blob/2a6dc67eb520ddb9c4138d8b35ed6fe6226997fb/vllm/entrypoints/chat_utils.py#L1602-L1610

Product

https://github.com/vllm-project/vllm/blob/2a6dc67eb520ddb9c4138d8b35ed6fe6226997fb/vllm/entrypoints/openai/serving_engine.py#L809-L814

Product

https://nvd.nist.gov/vuln/detail/CVE-2025-62426

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-62426

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-62426

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-62426