CVE-2025-62372
published 2025-11-21CVE-2025-62372: vLLM is an inference and serving engine for large language models (LLMs). From version 0.5.5 to before 0.11.1, users can crash the vLLM engine serving…
PriorityP335medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
0.33%
24.9th percentile
vLLM is an inference and serving engine for large language models (LLMs). From version 0.5.5 to before 0.11.1, users can crash the vLLM engine serving multimodal models by passing multimodal embedding inputs with correct ndim but incorrect shape (e.g. hidden dimension is wrong), regardless of whether the model is intended to support such inputs (as defined in the Supported Models page). This issue has been patched in version 0.11.1.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vllm-project | vllm | — | — |
| vllm | vllm | — | — |
| vllm | vllm | >= 0.5.5 < 0.11.1 | 0.11.1 |
| vllm | vllm | >= 0.5.5 < 0.11.1 | 0.11.1 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
nvdv4.08.3HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat8.3HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
vLLM vulnerable to DoS with incorrect shape of multimodal embedding inputs
ghsa·2025-11-20
CVE-2025-62372 [HIGH] CWE-129 vLLM vulnerable to DoS with incorrect shape of multimodal embedding inputs
vLLM vulnerable to DoS with incorrect shape of multimodal embedding inputs
### Summary
Users can crash the vLLM engine serving multimodal models by passing multimodal embedding inputs with correct `ndim` but incorrect `shape` (e.g. hidden dimension is wrong), regardless of whether the model is intended to support such inputs (as defined in the Supported Models page).
The issue has existed ever since we added support for image embedding inputs, i.e. #6613 (released in v0.5.5)
### Details
Using image embeddings as an example:
- For models that support image embedding inputs, the engine crashes when scattering the embeddings to `inputs_embeds` (mismatched shape)
- For models that don't support image embedding inputs, the engine crashes when validating the inputs inside `get_input_embedd
OSV
vLLM vulnerable to DoS with incorrect shape of multimodal embedding inputs
osv·2025-11-20
CVE-2025-62372 [HIGH] vLLM vulnerable to DoS with incorrect shape of multimodal embedding inputs
vLLM vulnerable to DoS with incorrect shape of multimodal embedding inputs
### Summary
Users can crash the vLLM engine serving multimodal models by passing multimodal embedding inputs with correct `ndim` but incorrect `shape` (e.g. hidden dimension is wrong), regardless of whether the model is intended to support such inputs (as defined in the Supported Models page).
The issue has existed ever since we added support for image embedding inputs, i.e. #6613 (released in v0.5.5)
### Details
Using image embeddings as an example:
- For models that support image embedding inputs, the engine crashes when scattering the embeddings to `inputs_embeds` (mismatched shape)
- For models that don't support image embedding inputs, the engine crashes when validating the inputs inside `get_input_embedd
Red Hat
vllm: vLLM vulnerable to DoS with incorrect shape of multimodal embedding inputs
vendor_redhat·2025-11-21·CVSS 8.3
CVE-2025-62372 [HIGH] CWE-129 vllm: vLLM vulnerable to DoS with incorrect shape of multimodal embedding inputs
vllm: vLLM vulnerable to DoS with incorrect shape of multimodal embedding inputs
vLLM is an inference and serving engine for large language models (LLMs). From version 0.5.5 to before 0.11.1, users can crash the vLLM engine serving multimodal models by passing multimodal embedding inputs with correct ndim but incorrect shape (e.g. hidden dimension is wrong), regardless of whether the model is intended to support such inputs (as defined in the Supported Models page). This issue has been patched in version 0.11.1.
A denial-of-service vulnerability in vLLM allows an attacker with API access to crash the engine by submitting multimodal embedding tensors that have the correct number of dimensions but an invalid internal shape. Because vLLM validates only the tensor’s ndim and not the full exp
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-11-21
Published