Data Integrity Issue in vLLM by the vLLM Project
CVE-2025-46722

4.2MEDIUM

Key Information:

Vendor

Vllm-project

Status
Vllm
Vendor
CVE Published:
29 May 2025

What is CVE-2025-46722?

The vLLM inference and serving engine for large language models contains a security vulnerability affecting its MultiModalHasher class. Specifically, the image hashing method lacked the capability to include essential metadata when serializing PIL.Image.Image objects. By only using obj.tobytes(), the process returned solely the raw pixel data. This oversight allowed for different images with identical pixel data sequences to yield the same hash value, resulting in potential hash collisions. The implications of this vulnerability include incorrect cache hits, data leakage, and various security challenges. Fortunately, the issue has been addressed in version 0.9.0, enhancing the integrity of image handling.

Affected Version(s)

vllm >= 0.7.0, < 0.9.0

References

https://github.com/vllm-project/vllm/security/advisories/...
x_refsource_CONFIRM
https://github.com/vllm-project/vllm/pull/17378
x_refsource_MISC
https://github.com/vllm-project/vllm/commit/99404f53c7296...
x_refsource_MISC

CVSS V3.1

Score:
4.2
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-46722 : Data Integrity Issue in vLLM by the vLLM Project