CVE-2025-11915 MEDIUM

CVE-2025-11915: HTTP Desynchronisation in Vertex AI for certain third-party models

Vendor Google Cloud
Product Vertex AI: Partner Models for MaaS
Weakness CWE-444
Published October 22, 2025
Last update October 23, 2025

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:L/SI:N/SA:L/U:Clear

What the vulnerability does

01Description

Connection desynchronization between an HTTP proxy and the model backend. The fixes were rolled out for all proxies in front of impacted models by 2025-09-28. Users do not need to take any action.

Key dates

02Disclosure timeline

October 22, 2025 CVE published
October 23, 2025 Record updated