Data Integrity Issue in vLLM by the vLLM Project
CVE-2025-46722

7.3HIGH

Key Information:

Vendor

Vllm-project

Status
Vllm
Vendor
CVE Published:
29 May 2025

What is CVE-2025-46722?

The vLLM inference and serving engine for large language models contains a security vulnerability affecting its MultiModalHasher class. Specifically, the image hashing method lacked the capability to include essential metadata when serializing PIL.Image.Image objects. By only using obj.tobytes(), the process returned solely the raw pixel data. This oversight allowed for different images with identical pixel data sequences to yield the same hash value, resulting in potential hash collisions. The implications of this vulnerability include incorrect cache hits, data leakage, and various security challenges. Fortunately, the issue has been addressed in version 0.9.0, enhancing the integrity of image handling.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

vllm >= 0.7.0, < 0.9.0

References

https://github.com/vllm-project/vllm/security/advisories/...
x_refsource_CONFIRM
https://github.com/vllm-project/vllm/pull/17378
x_refsource_MISC
https://github.com/vllm-project/vllm/commit/99404f53c7296...
x_refsource_MISC

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.