PT-2025-41009 · Vllm · Vllm
Russellb
·
Published
2025-09-28
·
Updated
2025-10-16
·
CVE-2025-59425
CVSS v2.0
7.8
High
| Vector | AV:N/AC:L/Au:N/C:C/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
vLLM versions prior to 0.11.0rc2
Description
vLLM is an inference and serving engine for large language models (LLMs). The API key validation mechanism in versions prior to 0.11.0rc2 is susceptible to a timing attack. The string comparison used for validation takes longer as more characters of the provided API key match the expected key. By analyzing the time taken for multiple validation attempts, an attacker could potentially determine the correct characters in the key sequence, leading to authentication bypass. The API key validation process is vulnerable.
Recommendations
Update to version 0.11.0rc2 or later.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Vllm