Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

vllm-project — Vulnerabilities & Security Advisories 33

Browse all 33 CVE security advisories affecting vllm-project. AI-powered Chinese analysis, POCs, and references for each vulnerability.

vllm-project is an open-source library designed for high-throughput and memory-efficient inference of large language models, primarily serving developers who require optimized serving infrastructure for generative AI applications. Despite its utility in streamlining model deployment, the software has accumulated thirty-three recorded Common Vulnerabilities and Exposures (CVEs), indicating significant historical security debt. Analysis of these flaws reveals a prevalence of input validation errors and improper access controls, which frequently lead to remote code execution and privilege escalation scenarios. These vulnerabilities often stem from inadequate sanitization of user-supplied data within the inference pipeline, allowing attackers to manipulate model outputs or execute arbitrary commands on the host system. While no single catastrophic breach has been widely publicized, the sheer volume of disclosed issues suggests that the project has struggled with consistent security auditing during its rapid development phase. Users must apply rigorous patching and network segmentation to mitigate these risks when deploying vllm-project in production environments.

Found 31 results / 33Clear Filters
Top products by vllm-project: vllm vllm-project/vllm
CVE IDTitleCVSSSeverityPublished
CVE-2026-34756 vLLM Affected by Unauthenticated OOM Denial of Service via Unbounded `n` Parameter in OpenAI API Server — vllmCWE-770 6.5 Medium2026-04-06
CVE-2026-34755 vLLM Affected by Denial of Service via Unbounded Frame Count in video/jpeg Base64 Processing — vllmCWE-770 6.5 Medium2026-04-06
CVE-2026-34753 vLLM affected by Server-Side Request Forgery (SSRF) in `download_bytes_from_url ` — vllmCWE-918 5.4 Medium2026-04-06
CVE-2026-34760 vLLM: Downmix Implementation Differences as Attack Vectors Against Audio AI Models — vllmCWE-20 5.9 Medium2026-04-02
CVE-2026-27893 vLLM's hardcoded trust_remote_code=True in NemotronVL and KimiK25 bypasses user security opt-out — vllmCWE-693 8.8 High2026-03-26
CVE-2026-25960 SSRF Protection Bypass in vLLM — vllmCWE-918 7.1 High2026-03-09
CVE-2026-22778 vLLM leaks a heap address when PIL throws an error — vllmCWE-532 9.8 Critical2026-02-02
CVE-2026-24779 vLLM vulnerable to Server-Side Request Forgery (SSRF) in `MediaConnector` — vllmCWE-918 7.1 High2026-01-27
CVE-2026-22807 vLLM affected by RCE via auto_map dynamic module loading during model initialization — vllmCWE-94 8.8 High2026-01-21
CVE-2026-22773 vLLM is vulnerable to DoS in Idefics3 vision models via image payload with ambiguous dimensions — vllmCWE-770 6.5 Medium2026-01-10
CVE-2025-66448 vLLM vulnerable to remote code execution via transformers_utils/get_config — vllmCWE-94 7.1 High2025-12-01
CVE-2025-62372 vLLM vulnerable to DoS with incorrect shape of multimodal embedding inputs — vllmCWE-129 7.5 -2025-11-21
CVE-2025-62426 vLLM vulnerable to DoS via large Chat Completion or Tokenization requests with specially crafted `chat_template_kwargs` — vllmCWE-770 6.5 Medium2025-11-21
CVE-2025-62164 VLLM deserialization vulnerability leading to DoS and potential RCE — vllmCWE-20 8.8 High2025-11-21
CVE-2025-59425 vLLM vulnerable to timing attack at bearer auth — vllmCWE-385 7.5 High2025-10-07
CVE-2025-48956 vLLM API endpoints vulnerable to Denial of Service Attacks — vllmCWE-400 7.5 High2025-08-21
CVE-2025-48944 vLLM Tool Schema allows DoS via Malformed pattern and type Fields — vllmCWE-20 6.5 Medium2025-05-30
CVE-2025-48943 vLLM allows clients to crash the openai server with invalid regex — vllmCWE-248 6.5 Medium2025-05-30
CVE-2025-48942 vLLM DOS: Remotely kill vllm over http with invalid JSON schema — vllmCWE-248 6.5 Medium2025-05-30
CVE-2025-48887 vLLM has a Regular Expression Denial of Service (ReDoS, Exponential Complexity) Vulnerability in `pythonic_tool_parser.py` — vllmCWE-1333 6.5 Medium2025-05-30
CVE-2025-46722 vLLM has a Weakness in MultiModalHasher Image Hashing Implementation — vllmCWE-1288 4.2 Medium2025-05-29
CVE-2025-46570 vLLM’s Chunk-Based Prefix Caching Vulnerable to Potential Timing Side-Channel — vllmCWE-208 2.6 Low2025-05-29
CVE-2025-47277 vLLM Allows Remote Code Execution via PyNcclPipe Communication Service — vllmCWE-502 9.8 Critical2025-05-20
CVE-2025-30165 Remote Code Execution Vulnerability in vLLM Multi-Node Cluster Configuration — vllmCWE-502 8.0 High2025-05-06
CVE-2025-32444 vLLM Vulnerable to Remote Code Execution via Mooncake Integration — vllmCWE-502 10.0 Critical2025-04-30
CVE-2025-46560 vLLM phi4mm: Quadratic Time Complexity in Input Token Processing​ leads to denial of service — vllmCWE-1333 6.5 Medium2025-04-30
CVE-2025-30202 Data exposure via ZeroMQ on multi-node vLLM deployment — vllmCWE-770 7.5 High2025-04-30
CVE-2025-29783 vLLM Allows Remote Code Execution via Mooncake Integration — vllmCWE-502 9.1 Critical2025-03-19
CVE-2025-29770 vLLM denial of service via outlines unbounded cache on disk — vllmCWE-770 6.5 Medium2025-03-19
CVE-2025-25183 vLLM using built-in hash() from Python 3.12 leads to predictable hash collisions in vLLM prefix cache — vllmCWE-354 2.6 Low2025-02-07

This page lists every published CVE security advisory associated with vllm-project. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.