CVE-2025-48956
BaseFortify
Publication date: 2025-08-21
Last updated on: 2025-10-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vllm | vllm | From 0.1.0 (inc) to 0.10.1.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in vLLM allows an attacker to cause a Denial of Service (DoS) by sending a single HTTP GET request with an extremely large header to the server. This large header causes the server's memory to be exhausted, which can lead to the server crashing or becoming unresponsive. The attack can be performed remotely without any authentication.
How can this vulnerability impact me? :
The vulnerability can impact you by causing the vLLM server to crash or become unresponsive due to memory exhaustion triggered by a malicious HTTP request. This results in denial of service, potentially disrupting availability of services relying on vLLM.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade vLLM to version 0.10.1.1 or later, where the issue is fixed. Additionally, consider implementing network-level protections such as limiting the size of HTTP headers accepted by the server to prevent memory exhaustion from extremely large headers.