Hash Collision Vulnerability in vLLM by vLLM Project
CVE-2025-25183

2.6LOW

Key Information:

Vendor

Vllm-project

Status
Vllm
Vendor
CVE Published:
7 February 2025

What is CVE-2025-25183?

The vLLM is a high-performance engine for serving large language models (LLMs), which has been affected by a hash collision vulnerability. This flaw arises from the use of Python's hash() function, particularly how the behavior of hash(None) has been altered in Python 3.12, resulting in predictable constant values. Attackers may exploit this to induce cache reuse by crafting specific statements that lead to collisions, thereby disrupting response accuracy or behavior. Without proper remediation, this vulnerability can compromise the integrity of the system. The issue has been resolved in version 0.7.2, and users are strongly encouraged to update to this version or later to mitigate the risks associated with this vulnerability.

Affected Version(s)

vllm < 0.7.2

References

https://github.com/vllm-project/vllm/security/advisories/...
x_refsource_CONFIRM
https://github.com/vllm-project/vllm/pull/12621
x_refsource_MISC
https://github.com/python/cpython/commit/432117cd1f59c76d...
x_refsource_MISC

CVSS V3.1

Score:
2.6
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-25183 : Hash Collision Vulnerability in vLLM by vLLM Project