Home > Vulnerability Database > CVE-2025-46560

Mend.io Vulnerability Database

CVE-2025-46560

Good to know:

Date: April 29, 2025

vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Versions starting from 0.8.0 and prior to 0.8.5 are affected by a critical performance vulnerability in the input preprocessing logic of the multimodal tokenizer. The code dynamically replaces placeholder tokens (e.g., <|audio_|>, <|image_|>) with repeated tokens based on precomputed lengths. Due to inefficient list concatenation operations, the algorithm exhibits quadratic time complexity (O(n²)), allowing malicious actors to trigger resource exhaustion via specially crafted inputs. This issue has been patched in version 0.8.5.

Severity Score

6.5

Related Resources (5)

Url: https://github.com/vllm-project/vllm/security/advisories/GHSA-vc6m-hm49-g9qg

Url: https://github.com/vllm-project/vllm

Url: https://github.com/vllm-project/vllm/blob/8cac35ba435906fb7eb07e44fe1a8c26e8744f4e/vllm/model_executor/models/phi4mm.py#L1182-L1197

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-46560

Url: https://www.mend.io/vulnerability-database/CVE-2025-46560

Severity Score

6.5

Weakness Type (CWE)

Inefficient Regular Expression Complexity

CWE-1333

Top Fix

Upgrade Version

Upgrade to version vllm - 0.8.5;https://github.com/vllm-project/vllm.git - v0.8.5

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-46560

Good to know:

Date: April 29, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?