CVE-2025-48956

Name of the Vulnerable Software and Affected Versions: vLLM versions 0.1.0 through 0.10.1.0

Description: vLLM is an inference and serving engine for large language models (LLMs). A Denial of Service (DoS) vulnerability can be triggered by sending a single HTTP GET request with an extremely large header to an HTTP endpoint, resulting in server memory exhaustion and potential crashes or unresponsiveness. The attack does not require authentication, making it exploitable by any remote user. The vulnerability leverages the abuse of HTTP headers, such as the X-Forwarded-For header, by setting it to a very large value.

Recommendations: Upgrade to vLLM version 0.10.1.1 or later. Use a proxy in front of vLLM which provides protection against this issue.