CVE-2025-59425
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-59425, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-10-07

Last updated on: 2025-10-16

Assigner: GitHub, Inc.

Description

vLLM is an inference and serving engine for large language models (LLMs). Before version 0.11.0rc2, the API key support in vLLM performs validation using a method that was vulnerable to a timing attack. API key validation uses a string comparison that takes longer the more characters the provided API key gets correct. Data analysis across many attempts could allow an attacker to determine when it finds the next correct character in the key sequence. Deployments relying on vLLM's built-in API key validation are vulnerable to authentication bypass using this technique. Version 0.11.0rc2 fixes the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-10-07
Last Modified
2025-10-16
Generated
2026-07-06
AI Q&A
2025-10-07
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
vllm vllm to 0.11.0 (exc)
vllm vllm 0.11.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-385 Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in vLLM's API key validation allows an attacker to perform a timing attack. The validation method compares the provided API key character-by-character, taking longer as more characters match correctly. By analyzing the time taken for many attempts, an attacker can deduce the correct API key characters sequentially, potentially bypassing authentication.

Impact Analysis

An attacker exploiting this vulnerability can bypass authentication by discovering the API key through timing analysis. This could allow unauthorized access to the vLLM service, potentially leading to misuse of the service or exposure of sensitive data.

Mitigation Strategies

Upgrade vLLM to version 0.11.0rc2 or later, as this version fixes the timing attack vulnerability in API key validation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59425. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart