CVE-2025-11915— HTTP Desynchronisation in Vertex AI for certain third-party models
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-11915
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
HTTP Desynchronisation in Vertex AI for certain third-party models
Source: NVD (National Vulnerability Database)
Vulnerability Description
Connection desynchronization between an HTTP proxy and the model backend. The fixes were rolled out for all proxies in front of impacted models by 2025-09-28. Users do not need to take any action.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
HTTP请求的解释不一致性(HTTP请求私运)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Google Cloud Vertex AI API 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Google Cloud Vertex AI API是美国谷歌(Google)公司的一套机器学习平台接口。 Google Cloud Vertex AI API存在安全漏洞,该漏洞源于HTTP代理与模型后端之间的连接不同步。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Google Cloud | Vertex AI: Partner Models for MaaS | 0 ~ 2025-09-26 | - | |
| Google Cloud | Vertex AI: Open Models for MaaS | 0 ~ 2025-09-28 | - | |
| Google Cloud | Vertex AI: Self-Deployed Models | 0 ~ 2025-09-28 | - |
II. Public POCs for CVE-2025-11915
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-11915
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same vendor: Google Cloud
- CVE-2026-3259
Sensitive Data Disclosure in BigQuery via Materialized View - CVE-2026-4810
Remote Code Execution in Google Agent Development Kit (ADK) - CVE-2026-3136
Google Cloud Build Comment Control Bypass - CVE-2026-2244
Sensitive Data Exposure in Google Cloud Vertex AI Workbench - CVE-2026-2473
Bucket Squatting in Vertex AI Experiments leads to RCE and M
Same weakness: CWE-444
- CVE-2026-40562
Gazelle versions through 0.49 for Perl allows HTTP Request S - CVE-2026-40561
Starlet versions through 0.31 for Perl allows HTTP Request S - CVE-2026-39805
CL.CL HTTP request smuggling via duplicate Content-Length in - CVE-2026-40560
Starman versions before 0.4018 for Perl allows HTTP Request - CVE-2026-41873
Pony Mail: Admin account takeover via request smuggling
V. Comments for CVE-2025-11915
No comments yet