CVE-2025-62372 in vLLM
Summary
by MITRE • 11/21/2025
vLLM is an inference and serving engine for large language models (LLMs). From version 0.5.5 to before 0.11.1, users can crash the vLLM engine serving multimodal models by passing multimodal embedding inputs with correct ndim but incorrect shape (e.g. hidden dimension is wrong), regardless of whether the model is intended to support such inputs (as defined in the Supported Models page). This issue has been patched in version 0.11.1.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/22/2026
The vulnerability CVE-2025-62372 represents a critical input validation flaw in the vLLM inference engine that affects versions between 0.5.5 and 0.11.1. This issue specifically targets multimodal model serving capabilities where the engine fails to properly validate the dimensional consistency of multimodal embeddings. The flaw allows attackers to deliberately crash the vLLM engine by submitting carefully crafted multimodal inputs that maintain correct number of dimensions but contain incorrect shape specifications, particularly in the hidden dimension parameters. This represents a classic buffer overflow or memory corruption vulnerability that can be exploited through malformed input data without requiring authentication or privileged access.
The technical implementation of this vulnerability stems from inadequate input sanitization within the multimodal embedding processing pipeline. When the vLLM engine receives multimodal inputs with correct ndim values but incorrect shape parameters, the internal memory allocation and processing routines fail to validate the dimensional consistency before proceeding with computation. This allows the engine to attempt operations on memory regions that do not align with the expected data structure, leading to segmentation faults or similar crash conditions. The vulnerability specifically impacts multimodal models where the engine must handle various input types including images, text, and other modalities that require different dimensional representations. The flaw is particularly concerning because it can be triggered regardless of whether the target model is actually designed to support the specific input format being submitted, making it a broad-spectrum denial-of-service vector.
The operational impact of this vulnerability extends beyond simple service disruption to potentially compromise the availability and reliability of large language model serving infrastructure. Organizations relying on vLLM for production deployments could experience unexpected service outages when malicious or malformed inputs are processed, leading to degraded performance or complete system unavailability. This vulnerability affects the core serving functionality of the engine, meaning that any application or service built on top of vLLM could be impacted by this crash condition. The issue is particularly dangerous in high-throughput environments where automated input processing or batch operations could amplify the impact of a single malicious input. From a cybersecurity perspective, this represents a remote code execution vector that could be leveraged for more sophisticated attacks if combined with other vulnerabilities, though the immediate impact is primarily denial-of-service.
The mitigation strategy for CVE-2025-62372 involves upgrading to vLLM version 0.11.1 or later where the vulnerability has been patched. Organizations should implement comprehensive input validation at the application level to prevent malformed multimodal embeddings from reaching the vLLM engine, though this requires careful consideration of the legitimate input variations that should be accepted. The patched version includes enhanced dimensional consistency checks that validate both the number of dimensions and the specific shape parameters before processing begins. Security teams should also consider implementing rate limiting and input sanitization mechanisms as additional defensive measures. This vulnerability aligns with CWE-129 Input Validation and CWE-20 Improper Input Validation categories, and represents a typical example of how inadequate validation can lead to system instability. From an ATT&CK perspective, this vulnerability maps to T1499.004 Network Denial of Service and T1595.001 Network Infrastructure Compromise, as it can be used to disrupt service availability and potentially provide a foothold for further attacks. Organizations should conduct thorough testing of their vLLM deployments to ensure proper upgrade implementation and verify that the patched version correctly handles all expected input formats while maintaining system stability.