CVE-2025-59425
BaseFortify
Publication date: 2025-10-07
Last updated on: 2025-10-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vllm | vllm | to 0.11.0 (exc) |
| vllm | vllm | 0.11.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-385 | Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in vLLM's API key validation allows an attacker to perform a timing attack. The validation method compares the provided API key character-by-character, taking longer as more characters match correctly. By analyzing the time taken for many attempts, an attacker can deduce the correct API key characters sequentially, potentially bypassing authentication.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can bypass authentication by discovering the API key through timing analysis. This could allow unauthorized access to the vLLM service, potentially leading to misuse of the service or exposure of sensitive data.
What immediate steps should I take to mitigate this vulnerability?
Upgrade vLLM to version 0.11.0rc2 or later, as this version fixes the timing attack vulnerability in API key validation.