← Back

CVE-2025-62372

nvd nist
Published: Nov 21, 2025Modified: Dec 4, 2025

JSON object

Loading...
8.3
Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Show more
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less
Source: security-advisories@github.com (Secondary)

Description

vLLM is an inference and serving engine for large language models (LLMs). From version 0.5.5 to before 0.11.1, users can crash the vLLM engine serving multimodal models by passing multimodal embedding inputs with correct ndim but incorrect shape (e.g. hidden dimension is wrong), regardless of whether the model is intended to support such inputs (as defined in the Supported Models page). This issue has been patched in version 0.11.1.

Affected (3)

Products: Vllm: Vllm
Vllm
1 product
Vllm
Configuration A
3 vulnerable
Vulnerable SoftwareAffected Versions
Vllm
Vllm
From 0.5.5 to 0.11.1
Vllm
Version 0.11.1 rc0
Vllm
Version 0.11.1 rc1

Related CWEs

CWE-129
Improper Validation of Array Index
The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.

References (4)

Source: security-advisories@github.com
Patch
Source: security-advisories@github.com
Issue TrackingPatchVendor Advisory
Source: security-advisories@github.com
Issue Tracking
Source: security-advisories@github.com
MitigationVendor Advisory

Timeline

No history available yet.