Timing Attack Vulnerability in vLLM API Key Validation
CVE-2025-59425

7.5HIGH

Key Information:

Vendor

Vllm-project

Status
Vllm
Vendor
CVE Published:
7 October 2025

What is CVE-2025-59425?

vLLM, an inference and serving engine for large language models, contains a vulnerability related to its API key validation mechanism. Prior to version 0.11.0rc2, the validation process employed a string comparison method susceptible to timing attacks, which allowed attackers to exploit the increased response time for correct character sequences. This exploitation could lead to an authentication bypass, as the attacker could deduce the next correct character in the key. Users should upgrade to version 0.11.0rc2 or later to mitigate this issue.

Affected Version(s)

vllm < 0.11.0rc2

References

https://github.com/vllm-project/vllm/security/advisories/...
x_refsource_CONFIRM
https://github.com/vllm-project/vllm/commit/ee10d7e6ff587...
x_refsource_MISC
https://github.com/vllm-project/vllm/blob/4b946d693e0af15...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-59425 : Timing Attack Vulnerability in vLLM API Key Validation