Publish GHSA-pmqf-x6x8-p7qw

advisory-database[bot] · advisory-database[bot] · commit 205dec0644ec · 2025-11-20T21:24:54.000Z
diff --git a/advisories/github-reviewed/2025/11/GHSA-pmqf-x6x8-p7qw/GHSA-pmqf-x6x8-p7qw.json b/advisories/github-reviewed/2025/11/GHSA-pmqf-x6x8-p7qw/GHSA-pmqf-x6x8-p7qw.json
@@ -0,0 +1,73 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-pmqf-x6x8-p7qw",
+  "modified": "2025-11-20T21:23:29Z",
+  "published": "2025-11-20T21:23:29Z",
+  "aliases": [
+    "CVE-2025-62372"
+  ],
+  "summary": "vLLM vulnerable to DoS with incorrect shape of multimodal embedding inputs",
+  "details": "### Summary\n\nUsers can crash the vLLM engine serving multimodal models by passing multimodal embedding inputs with correct `ndim` but incorrect `shape` (e.g. hidden dimension is wrong), regardless of whether the model is intended to support such inputs (as defined in the Supported Models page).\n\nThe issue has existed ever since we added support for image embedding inputs, i.e. #6613 (released in v0.5.5)\n\n### Details\n\nUsing image embeddings as an example:\n\n- For models that support image embedding inputs, the engine crashes when scattering the embeddings to `inputs_embeds` (mismatched shape)\n- For models that don't support image embedding inputs, the engine crashes when validating the inputs inside `get_input_embeddings` (validation fails).\n\nThis happens because we only validate `ndim` of the tensor, but not the full shape, in input processor (via `MultiModalDataParser`).\n\n### Impact\n\n- Denial of service by crashing the engine\n\n### Mitigation\n\n- Use API key to limit access to trusted users.\n- Set `--limit-mm-per-prompt` to 0 for all non-text modalities to ban multimodal inputs, which includes multimodal embedding inputs. However, the model would then only accept text, defeating the purpose of using a multi-modal model.\n\n### Resolution\n\n- https://github.com/vllm-project/vllm/pull/27204",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "vllm"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0.5.5"
+            },
+            {
+              "fixed": "0.11.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-pmqf-x6x8-p7qw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/vllm-project/vllm/pull/27204"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/vllm-project/vllm/pull/6613"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/vllm-project/vllm/commit/58fab50d82838d5014f4a14d991fdb9352c9c84b"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/vllm-project/vllm"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-129"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-11-20T21:23:29Z",
+    "nvd_published_at": null
+  }
+}
