Home > Vulnerability Database > CVE-2025-59425

Mend.io Vulnerability Database

CVE-2025-59425

Good to know:

Date: October 7, 2025

vLLM is an inference and serving engine for large language models (LLMs). Before version 0.11.0rc2, the API key support in vLLM performs validation using a method that was vulnerable to a timing attack. API key validation uses a string comparison that takes longer the more characters the provided API key gets correct. Data analysis across many attempts could allow an attacker to determine when it finds the next correct character in the key sequence. Deployments relying on vLLM's built-in API key validation are vulnerable to authentication bypass using this technique. Version 0.11.0rc2 fixes the issue.

Severity Score

7.5

Related Resources (7)

Url: https://github.com/vllm-project/vllm/security/advisories/GHSA-wr9h-g72x-mwhm

Url: https://github.com/vllm-project/vllm/commit/ee10d7e6ff5875386c7f136ce8b5f525c8fcef48

Url: https://github.com/vllm-project/vllm/blob/4b946d693e0af15740e9ca9c0e059d5f333b1083/vllm/entrypoints/openai/api_server.py#L1270-L1274

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-59425

Url: https://github.com/vllm-project/vllm

Url: https://github.com/vllm-project/vllm/releases/tag/v0.11.0

Url: https://www.mend.io/vulnerability-database/CVE-2025-59425

Severity Score

7.5

Weakness Type (CWE)

Covert Timing Channel

CWE-385

Top Fix

Upgrade Version

Upgrade to version vllm - 0.11.0;https://github.com/vllm-project/vllm.git - v0.11.0

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-59425

Good to know:

Date: October 7, 2025

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?