Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2025-62372

vLLM vulnerable to DoS with incorrect shape of multimodal embedding inputs
Back to all
CVE

CVE-2025-62372

vLLM vulnerable to DoS with incorrect shape of multimodal embedding inputs

Summary

Users can crash the vLLM engine serving multimodal models by passing multimodal embedding inputs with correct ndim but incorrect shape (e.g. hidden dimension is wrong), regardless of whether the model is intended to support such inputs (as defined in the Supported Models page).

The issue has existed ever since we added support for image embedding inputs, i.e. #6613 (released in v0.5.5)

Details

Using image embeddings as an example:

  • For models that support image embedding inputs, the engine crashes when scattering the embeddings to inputs_embeds (mismatched shape)
  • For models that don't support image embedding inputs, the engine crashes when validating the inputs inside getinputembeddings (validation fails).

This happens because we only validate ndim of the tensor, but not the full shape, in input processor (via MultiModalDataParser).

Impact

  • Denial of service by crashing the engine

Mitigation

  • Use API key to limit access to trusted users.
  • Set --limit-mm-per-prompt to 0 for all non-text modalities to ban multimodal inputs, which includes multimodal embedding inputs. However, the model would then only accept text, defeating the purpose of using a multi-modal model.

Resolution

  • https://github.com/vllm-project/vllm/pull/27204

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
8.3
-
4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
C
H
U
6.5
-
3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Related Resources

No items found.

References

https://github.com/vllm-project/vllm/security/advisories/GHSA-pmqf-x6x8-p7qw, https://nvd.nist.gov/vuln/detail/CVE-2025-62372, https://github.com/vllm-project/vllm/pull/27204, https://github.com/vllm-project/vllm/pull/6613, https://github.com/vllm-project/vllm/commit/58fab50d82838d5014f4a14d991fdb9352c9c84b, https://github.com/vllm-project/vllm

Severity

6.5

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
6.5
EPSS Probability
0.00055%
EPSS Percentile
0.17488%
Introduced Version
0.5.5,0.10.2,0.8.0,0.7.0,0.6.6.post1,0.6.5,0.6.4.post1,0.6.3.post1
Fix Available
0.11.1

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading