CVE-2025-46560Regex Denial of Service in Vllm

CWE-1333Regex Denial of Service4 documents4 sources
Severity
7.5HIGHNVD
EPSS
0.6%
top 31.26%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
VllmVllm-project Vllm
Timeline
PublishedApr 30

Description

vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Versions starting from 0.8.0 and prior to 0.8.5 are affected by a critical performance vulnerability in the input preprocessing logic of the multimodal tokenizer. The code dynamically replaces placeholder tokens (e.g., , ) with repeated tokens based on precomputed lengths. Due to ​​inefficient list concatenation operations​​, the algorithm exhibits ​​quadratic time complexity (O(n²))​​, allowing malicious actor

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

NVDvllm/vllm0.8.00.8.5
PyPIvllm/vllm0.8.00.8.5
CVEListV5vllm-project/vllm>= 0.8.0, < 0.8.5

🔴Vulnerability Details

2
OSV
phi4mm: Quadratic Time Complexity in Input Token Processing​ leads to denial of service2025-04-29
GHSA
phi4mm: Quadratic Time Complexity in Input Token Processing​ leads to denial of service2025-04-29

📋Vendor Advisories

1
Red Hat
vllm: vLLM phi4mm: Quadratic Time Complexity in Input Token Processing​ leads to denial of service2025-04-30