Incomplete comparison with missing factors in vLLM - CVE-2025-46722
Published: January 7, 2026
Vulnerability identifier: #VU121084
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-46722
CWE-ID: CWE-1023
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: vLLM
Affected software:
vLLM
vLLM
Detailed vulnerability description
The vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to the MultiModalHasher class in vllm/multimodal/hasher.py serializes PIL.Image.Image objects using only obj.tobytes(), which returns only the raw pixel data, without including metadata such as the imageâs shape (width, height, mode). As a result, two images of different sizes (e.g., 30x100 and 100x30) with the same pixel byte sequence could generate the same hash value. This may lead to hash collisions, incorrect cache hits, and even data leakage or security risks.
How to mitigate CVE-2025-46722
Install updates from vendor's website.