GHSA-PMQF-X6X8-P7QW

Vulnerability from github – Published: 2025-11-20 21:23 – Updated: 2025-11-21 15:31
VLAI?
Summary
vLLM vulnerable to DoS with incorrect shape of multimodal embedding inputs
Details

Summary

Users can crash the vLLM engine serving multimodal models by passing multimodal embedding inputs with correct ndim but incorrect shape (e.g. hidden dimension is wrong), regardless of whether the model is intended to support such inputs (as defined in the Supported Models page).

The issue has existed ever since we added support for image embedding inputs, i.e. #6613 (released in v0.5.5)

Details

Using image embeddings as an example:

  • For models that support image embedding inputs, the engine crashes when scattering the embeddings to inputs_embeds (mismatched shape)
  • For models that don't support image embedding inputs, the engine crashes when validating the inputs inside get_input_embeddings (validation fails).

This happens because we only validate ndim of the tensor, but not the full shape, in input processor (via MultiModalDataParser).

Impact

  • Denial of service by crashing the engine

Mitigation

  • Use API key to limit access to trusted users.
  • Set --limit-mm-per-prompt to 0 for all non-text modalities to ban multimodal inputs, which includes multimodal embedding inputs. However, the model would then only accept text, defeating the purpose of using a multi-modal model.

Resolution

  • https://github.com/vllm-project/vllm/pull/27204
Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
8.3 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "vllm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.5.5"
            },
            {
              "fixed": "0.11.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-62372"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-129"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-20T21:23:29Z",
    "nvd_published_at": "2025-11-21T02:15:43Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nUsers can crash the vLLM engine serving multimodal models by passing multimodal embedding inputs with correct `ndim` but incorrect `shape` (e.g. hidden dimension is wrong), regardless of whether the model is intended to support such inputs (as defined in the Supported Models page).\n\nThe issue has existed ever since we added support for image embedding inputs, i.e. #6613 (released in v0.5.5)\n\n### Details\n\nUsing image embeddings as an example:\n\n- For models that support image embedding inputs, the engine crashes when scattering the embeddings to `inputs_embeds` (mismatched shape)\n- For models that don\u0027t support image embedding inputs, the engine crashes when validating the inputs inside `get_input_embeddings` (validation fails).\n\nThis happens because we only validate `ndim` of the tensor, but not the full shape, in input processor (via `MultiModalDataParser`).\n\n### Impact\n\n- Denial of service by crashing the engine\n\n### Mitigation\n\n- Use API key to limit access to trusted users.\n- Set `--limit-mm-per-prompt` to 0 for all non-text modalities to ban multimodal inputs, which includes multimodal embedding inputs. However, the model would then only accept text, defeating the purpose of using a multi-modal model.\n\n### Resolution\n\n- https://github.com/vllm-project/vllm/pull/27204",
  "id": "GHSA-pmqf-x6x8-p7qw",
  "modified": "2025-11-21T15:31:38Z",
  "published": "2025-11-20T21:23:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-pmqf-x6x8-p7qw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62372"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vllm-project/vllm/pull/27204"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vllm-project/vllm/pull/6613"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vllm-project/vllm/commit/58fab50d82838d5014f4a14d991fdb9352c9c84b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vllm-project/vllm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "vLLM vulnerable to DoS with incorrect shape of multimodal embedding inputs"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.