CVE-2025-48956
HIGH7.5EPSS 0.31%vllm API endpoints vulnerable to Denial of Service Attacks
描述
### Summary A Denial of Service (DoS) vulnerability can be triggered by sending a single HTTP GET request with an extremely large header to an HTTP endpoint. This results in server memory exhaustion, potentially leading to a crash or unresponsiveness. The attack does not require authentication, making it exploitable by any remote user. ### Details The vulnerability leverages the abuse of HTTP headers. By setting a header such as `X-Forwarded-For` to a very large value like `("A" * 5_800_000_000)`, the server's HTTP parser or application logic may attempt to load the entire request into memory, overwhelming system resources. ### Impact _What kind of vulnerability is it? Who is impacted?_ Type of vulnerability: Denial of Service (DoS) ### Resolution Upgrade to a version of vLLM that includes appropriate HTTP limits by deafult, or use a proxy in front of vLLM which provides protection against this issue.
受影響套件(1)
- PyPI/vllm>= 0.1.0, < 0.10.1.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-48956
- PATCHhttps://github.com/vllm-project/vllm
- WEBhttps://github.com/vllm-project/vllm/commit/d8b736f913a59117803d6701521d2e4861701944
- WEBhttps://github.com/vllm-project/vllm/pull/23267
- WEBhttps://github.com/vllm-project/vllm/security/advisories/GHSA-rxc4-3w6r-4v47