CVE-2025-46560

Name of the Vulnerable Software and Affected Versions vLLM versions 0.8.0 through 0.8.4

Description The issue concerns a critical performance vulnerability in the input preprocessing logic of the multimodal tokenizer. It is caused by inefficient list concatenation operations, resulting in quadratic time complexity (O(n²)), which allows malicious actors to trigger resource exhaustion via specially crafted inputs.

Recommendations For versions 0.8.0 through 0.8.4, update to version 0.8.5 to resolve the issue. As a temporary workaround, consider restricting the use of the multimodal tokenizer to minimize the risk of exploitation.