CVE-2025-59425

vLLM is an inference and serving engine for large language models (LLMs). Before version 0.11.0rc2, the API key support in vLLM performs validation using a method that was vulnerable to a timing attack. API key validation uses a string comparison that takes longer the more characters the provided API key gets correct. Data analysis across many attempts could allow an attacker to determine when it finds the next correct character in the key sequence. Deployments relying on vLLM's built-in API key validation are vulnerable to authentication bypass using this technique. Version 0.11.0rc2 fixes the issue.

References

Affected packages

Git / github.com/vllm-project/vllm

Affected ranges

Type: GIT
Repo: https://github.com/vllm-project/vllm
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

4c347044c90da878c9bacb33aaf6cba0fc01dd7c

Affected versions

Other

submission

v0.*

v0.1.0

v0.1.1

v0.1.2

v0.1.3

v0.1.4

v0.1.5

v0.1.6

v0.1.7

v0.10.0

v0.10.0rc1

v0.10.0rc2

v0.10.1rc1

v0.10.2rc1

v0.10.2rc2

v0.11.0rc1

v0.11.1rc0

v0.2.0

v0.2.1

v0.2.2

v0.2.3

v0.2.4

v0.2.5

v0.2.6

v0.2.7

v0.3.0

v0.3.1

v0.3.2

v0.3.3

v0.4.0

v0.4.0.post1

v0.4.1

v0.4.2

v0.4.3

v0.5.0

v0.5.0.post1

v0.5.1

v0.5.2

v0.5.3

v0.5.3.post1

v0.5.4

v0.5.5

v0.6.0

v0.6.1

v0.6.1.post1

v0.6.1.post2

v0.6.2

v0.6.3

v0.6.3.post1

v0.6.4

v0.6.4.post1

v0.6.5

v0.6.6

v0.6.6.post1

v0.7.0

v0.7.1

v0.7.2

v0.7.3

v0.8.0rc1

v0.8.0rc2

v0.8.1

v0.8.2

v0.8.3rc1

v0.8.4

v0.9.0

v0.9.1

v0.9.1rc1

v0.9.1rc2

v0.9.2rc1