Covert timing channel in vLLM - CVE-2025-59425
Published: December 11, 2025
Vulnerability identifier: #VU119862
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2025-59425
CWE-ID: CWE-385
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: vLLM
Affected software:
vLLM
vLLM
Detailed vulnerability description
The vulnerability allows a remote attacker to perform a brute-force attack.
The vulnerability exists within the API key validation process, which uses a string comparison that takes longer the more characters the provided API key gets correct. A remote attacker can perform a timing attack and brute-force the API key.
How to mitigate CVE-2025-59425
Install updates from vendor's website.
Sources
- https://github.com/vllm-project/vllm/blob/4b946d693e0af15740e9ca9c0e059d5f333b1083/vllm/entrypoints/openai/api_server.py#L1270-L1274
- https://github.com/vllm-project/vllm/commit/ee10d7e6ff5875386c7f136ce8b5f525c8fcef48
- https://github.com/vllm-project/vllm/releases/tag/v0.11.0
- https://github.com/vllm-project/vllm/security/advisories/GHSA-wr9h-g72x-mwhm