CVE-2025-59425: vLLM is vulnerable to timing attack at bearer auth
The API key support in vLLM performed validation using a method that was vulnerable to a timing attack. This could potentially allow an attacker to discover a valid API key using an approach more efficient than brute force.
References
- github.com/advisories/GHSA-wr9h-g72x-mwhm
- github.com/vllm-project/vllm
- github.com/vllm-project/vllm/blob/4b946d693e0af15740e9ca9c0e059d5f333b1083/vllm/entrypoints/openai/api_server.py
- github.com/vllm-project/vllm/commit/ee10d7e6ff5875386c7f136ce8b5f525c8fcef48
- github.com/vllm-project/vllm/releases/tag/v0.11.0
- github.com/vllm-project/vllm/security/advisories/GHSA-wr9h-g72x-mwhm
- nvd.nist.gov/vuln/detail/CVE-2025-59425
Code Behaviors & Features
Detect and mitigate CVE-2025-59425 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →