cbcvebase.
CVE-2025-59425
published 2025-10-07

CVE-2025-59425: vLLM is an inference and serving engine for large language models (LLMs). Before version 0.11.0rc2, the API key support in vLLM performs validation using a…

PriorityP354high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.54%
41.2th percentile
vLLM is an inference and serving engine for large language models (LLMs). Before version 0.11.0rc2, the API key support in vLLM performs validation using a method that was vulnerable to a timing attack. API key validation uses a string comparison that takes longer the more characters the provided API key gets correct. Data analysis across many attempts could allow an attacker to determine when it finds the next correct character in the key sequence. Deployments relying on vLLM's built-in API key validation are vulnerable to authentication bypass using this technique. Version 0.11.0rc2 fixes the issue.

Affected

4 ranges
VendorProductVersion rangeFixed in
vllm-projectvllm< 0.11.0rc20.11.0rc2
vllmvllm< 0.11.00.11.0
vllmvllm
vllmvllm>= 0 < 0.11.00.11.0

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.