CVE-2025-46722

Name of the Vulnerable Software and Affected Versions vLLM versions 0.7.0 through 0.8.x

Description The issue concerns a security and data integrity problem in the image hashing method of the MultiModalHasher class. Specifically, the method serializes PIL.Image.Image objects using only obj.tobytes(), which returns the raw pixel data without including metadata such as the image's shape. This can lead to hash collisions, incorrect cache hits, and potential data leakage or security risks. The problem arises because two images with the same pixel byte sequence but different sizes could generate the same hash value.

Recommendations For versions 0.7.0 through 0.8.x, update to version 0.9.0, which includes a patch for this issue. As a temporary workaround, consider modifying the serialize item method in the MultiModalHasher class to include all critical metadata, such as dimensions, color mode, format, and the info dictionary, in the hash calculation to prevent collisions.