CVE-2025-59425
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-07

Last updated on: 2025-10-16

Assigner: GitHub, Inc.

Description
vLLM is an inference and serving engine for large language models (LLMs). Before version 0.11.0rc2, the API key support in vLLM performs validation using a method that was vulnerable to a timing attack. API key validation uses a string comparison that takes longer the more characters the provided API key gets correct. Data analysis across many attempts could allow an attacker to determine when it finds the next correct character in the key sequence. Deployments relying on vLLM's built-in API key validation are vulnerable to authentication bypass using this technique. Version 0.11.0rc2 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-07
Last Modified
2025-10-16
Generated
2026-06-16
AI Q&A
2025-10-07
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59425
EUVD
EUVD-2025-32058
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
vllm vllm to 0.11.0 (exc)
vllm vllm 0.11.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-385 Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in vLLM's API key validation allows an attacker to perform a timing attack. The validation method compares the provided API key character-by-character, taking longer as more characters match correctly. By analyzing the time taken for many attempts, an attacker can deduce the correct API key characters sequentially, potentially bypassing authentication.

Impact Analysis

An attacker exploiting this vulnerability can bypass authentication by discovering the API key through timing analysis. This could allow unauthorized access to the vLLM service, potentially leading to misuse of the service or exposure of sensitive data.

Mitigation Strategies

Upgrade vLLM to version 0.11.0rc2 or later, as this version fixes the timing attack vulnerability in API key validation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59425. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart