CVE-2025-62426

EPSS 0.05%
Veröffentlicht 21.11.2025 01:21:29
Zuletzt bearbeitet 04.12.2025 17:42:10
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

vLLM is an inference and serving engine for large language models (LLMs). From version 0.5.5 to before 0.11.1, the /v1/chat/completions and /tokenize endpoints allow a chat_template_kwargs request parameter that is used in the code before it is properly validated against the chat template. With the right chat_template_kwargs parameters, it is possible to block processing of the API server for long periods of time, delaying all other requests. This issue has been patched in version 0.11.1.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 8

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Vllm ≫ Vllm Version >= 0.5.5 < 0.11.1

Vllm ≫ Vllm Version0.11.1 Updaterc0

Vllm ≫ Vllm Version0.11.1 Updaterc1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.05%	0.155

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

https://github.com/vllm-project/vllm/security/advisories/GHSA-69j4-grxj-j64p

Vendor Advisory

https://github.com/vllm-project/vllm/pull/27205

Issue Tracking

https://github.com/vllm-project/vllm/commit/3ada34f9cb4d1af763fdfa3b481862a93eb6bd2b

Patch

https://github.com/vllm-project/vllm/blob/2a6dc67eb520ddb9c4138d8b35ed6fe6226997fb/vllm/entrypoints/chat_utils.py#L1602-L1610

Product

https://github.com/vllm-project/vllm/blob/2a6dc67eb520ddb9c4138d8b35ed6fe6226997fb/vllm/entrypoints/openai/serving_engine.py#L809-L814

Product

https://nvd.nist.gov/vuln/detail/CVE-2025-62426

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-62426

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-62426

EUVD