CVE-2025-48956
vllm API endpoints vulnerable to Denial of Service Attacks
Description
### Summary A Denial of Service (DoS) vulnerability can be triggered by sending a single HTTP GET request with an extremely large header to an HTTP endpoint. This results in server memory exhaustion, potentially leading to a crash or unresponsiveness. The attack does not require authentication, making it exploitable by any remote user. ### Details The vulnerability leverages the abuse of HTTP headers. By setting a header such as `X-Forwarded-For` to a very large value like `("A" * 5_800_000_000)`, the server's HTTP parser or application logic may attempt to load the entire request into memory, overwhelming system resources. ### Impact _What kind of vulnerability is it? Who is impacted?_ Type of vulnerability: Denial of Service (DoS) ### Resolution Upgrade to a version of vLLM that includes appropriate HTTP limits by deafult, or use a proxy in front of vLLM which provides protection against this issue.
How to fix CVE-2025-48956
To remediate CVE-2025-48956, upgrade the affected package to a fixed version below.
- —upgrade to 0.10.1.1 or later
Is CVE-2025-48956 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 0.1.0, < 0.10.1.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |