CVE-2025-62372
BaseFortify
Publication date: 2025-11-21
Last updated on: 2025-12-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vllm | vllm | From 0.5.5 (inc) to 0.11.1 (exc) |
| vllm | vllm | 0.11.1 |
| vllm | vllm | 0.11.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-129 | The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in vLLM versions 0.5.5 to before 0.11.1 allows an attacker to crash the vLLM engine serving multimodal models by passing multimodal embedding inputs that have the correct number of dimensions (ndim) but an incorrect shape, such as a wrong hidden dimension. This can happen regardless of whether the model is intended to support such inputs. The issue was fixed in version 0.11.1.
How can this vulnerability impact me? :
The vulnerability can cause the vLLM engine to crash when processing certain malformed multimodal embedding inputs. This can lead to denial of service, disrupting the availability of the inference and serving engine for large language models, potentially impacting applications relying on vLLM for multimodal model serving.
What immediate steps should I take to mitigate this vulnerability?
Upgrade the vLLM engine to version 0.11.1 or later, as this version contains the patch that fixes the vulnerability allowing crashes from malformed multimodal embedding inputs.