Main Vulnerability Database Vulnerabilities #VU121084

#VU121084 Incomplete comparison with missing factors in vLLM - CVE-2025-46722

Published: January 7, 2026

Vulnerability identifier: #VU121084

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-46722

CWE-ID: CWE-1023

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
vLLM

Software vendor:
vLLM

Description

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to the MultiModalHasher class in vllm/multimodal/hasher.py serializes PIL.Image.Image objects using only obj.tobytes(), which returns only the raw pixel data, without including metadata such as the imageâs shape (width, height, mode). As a result, two images of different sizes (e.g., 30x100 and 100x30) with the same pixel byte sequence could generate the same hash value. This may lead to hash collisions, incorrect cache hits, and even data leakage or security risks.

Remediation

Install updates from vendor's website.

External links

https://github.com/vllm-project/vllm/security/advisories/GHSA-c65p-x677-fgj6

#VU121084 Incomplete comparison with missing factors in vLLM - CVE-2025-46722

Description

Remediation

External links

Please verify you're human