CVE-2025-59425 — HIGH (7.5)

Q: How severe is CVE-2025-59425?

CVE-2025-59425 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2025-59425?

Check the references section above for vendor advisories and patch information. Affected products include: Vllm Vllm.

Vulnerability Description

vLLM is an inference and serving engine for large language models (LLMs). Before version 0.11.0rc2, the API key support in vLLM performs validation using a method that was vulnerable to a timing attack. API key validation uses a string comparison that takes longer the more characters the provided API key gets correct. Data analysis across many attempts could allow an attacker to determine when it finds the next correct character in the key sequence. Deployments relying on vLLM's built-in API key validation are vulnerable to authentication bypass using this technique. Version 0.11.0rc2 fixes the issue.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Vllm	Vllm	< 0.11.0

Related Weaknesses (CWE)

CWE-385

References

FAQ

What is CVE-2025-59425?

CVE-2025-59425 is a vulnerability with a CVSS score of 7.5 (HIGH). vLLM is an inference and serving engine for large language models (LLMs). Before version 0.11.0rc2, the API key support in vLLM performs validation using a method that was vulnerable to a timing attac...

How severe is CVE-2025-59425?

CVE-2025-59425 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-59425?

Check the references section above for vendor advisories and patch information. Affected products include: Vllm Vllm.