SB2026010788 - Multiple vulnerabilities in vLLM
Published: January 7, 2026 Updated: May 1, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 7 vulnerabilities.
1) Incomplete comparison with missing factors (CVE-ID: CVE-2025-46722)
CWE-ID: CWE-1023 - Incomplete Comparison with Missing Factors
CVSSv4: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to the MultiModalHasher class in vllm/multimodal/hasher.py serializes PIL.Image.Image objects using only obj.tobytes(), which returns only the raw pixel data, without including metadata such as the imageâs shape (width, height, mode). As a result, two images of different sizes (e.g., 30x100 and 100x30) with the same pixel byte sequence could generate the same hash value. This may lead to hash collisions, incorrect cache hits, and even data leakage or security risks.
2) Input validation error (CVE-ID: CVE-2025-48942)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied json_schema passed as a Guided param to the /v1/completions API endpoint. A remote user can pass specially crafted input to the application and perform a denial of service (DoS) attack.
3) Input validation error (CVE-ID: CVE-2025-48943)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when handling invalid regex. A remote user can pass specially crafted input to the application and perform a denial of service (DoS) attack.
4) Input validation error (CVE-ID: CVE-2025-48944)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input passed via the in the "pattern" and "type" fields to the /v1/chat/completions OpenAPI endpoint A remote user can pass specially crafted input to the application and perform a denial of service (DoS) attack.
5) Inefficient regular expression complexity (CVE-ID: CVE-2025-48887)
CWE-ID: CWE-1333 - Inefficient Regular Expression Complexity
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions in vllm/entrypoints/openai/tool_parsers/pythonic_tool_parser.py. A remote user can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.
6) Inefficient regular expression complexity (CVE-ID: N/A)
CWE-ID: CWE-1333 - Inefficient Regular Expression Complexity
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions in multiple files. A remote user can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.
7) Information Exposure Through Timing Discrepancy (CVE-ID: CVE-2025-46570)
CWE-ID: CWE-208 - Information Exposure Through Timing Discrepancy
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to a timing side-channel in the chunk-based prefix caching mechanism when processing prompts that share cached prefix chunks. A remote user can measure time to first token for crafted prompt guesses to disclose sensitive information.
Exploitation requires sharing the same backend with a victim, and user interaction is required.
Remediation
Install update from vendor's website.
References
- https://github.com/vllm-project/vllm/security/advisories/GHSA-c65p-x677-fgj6
- https://github.com/vllm-project/vllm/security/advisories/GHSA-6qc9-v4r8-22xg
- https://github.com/vllm-project/vllm/security/advisories/GHSA-9hcf-v7m4-6m2j
- https://github.com/vllm-project/vllm/security/advisories/GHSA-vrq3-r879-7m65
- https://github.com/vllm-project/vllm/security/advisories/GHSA-w6q7-j642-7c25
- https://github.com/vllm-project/vllm/security/advisories/GHSA-j828-28rj-hfhp
- https://github.com/vllm-project/vllm/security/advisories/GHSA-4qjh-9fv9-r85r
- https://github.com/vllm-project/vllm/pull/17045