Home > Vulnerability Database > CVE-2025-46570

Mend.io Vulnerability Database

CVE-2025-46570

Good to know:

Date: May 29, 2025

vLLM is an inference and serving engine for large language models (LLMs). Prior to version 0.9.0, when a new prompt is processed, if the PageAttention mechanism finds a matching prefix chunk, the prefill process speeds up, which is reflected in the TTFT (Time to First Token). These timing differences caused by matching chunks are significant enough to be recognized and exploited. This issue has been patched in version 0.9.0.

Severity Score

2.6

Related Resources (7)

Url: https://github.com/pypa/advisory-database/tree/main/vulns/vllm/PYSEC-2025-53.yaml

Url: https://github.com/vllm-project/vllm/security/advisories/GHSA-4qjh-9fv9-r85r

Url: https://github.com/vllm-project/vllm/pull/17045

Url: https://github.com/vllm-project/vllm/commit/77073c77bc2006eb80ea6d5128f076f5e6c6f54f

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-46570

Url: https://github.com/vllm-project/vllm

Url: https://www.mend.io/vulnerability-database/CVE-2025-46570

Severity Score

2.6

Weakness Type (CWE)

Observable Timing Discrepancy

CWE-208

Top Fix

Upgrade Version

Upgrade to version vllm - 0.9.0;https://github.com/vllm-project/vllm.git - v0.9.0

Learn More

CVSS v3.1

Base Score:	2.6
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-46570

Good to know:

Date: May 29, 2025

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?