8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-62164

CVE-2025-62164: vLLM deserialization vulnerability leading to DoS and potential RCE

Summary

A memory corruption vulnerability that leading to a crash (denial-of-service) and potentially remote code execution (RCE) exists in vLLM versions 0.10.2 and later, in the Completions API endpoint. When processing user-supplied prompt embeddings, the endpoint loads serialized tensors using torch.load() without sufficient validation.

Due to a change introduced in PyTorch 2.8.0, sparse tensor integrity checks are disabled by default. As a result, maliciously crafted tensors can bypass internal bounds checks and trigger an out-of-bounds memory write during the call to to_dense(). This memory corruption can crash vLLM and potentially lead to code execution on the server hosting vLLM.

Details

A vulnerability that can lead to RCE from the completions API endpoint exists in vllm, where due to missing checks when loading user-provided tensors, an out-of-bounds write can be triggered. This happens because the default behavior of torch.load(tensor, weights_only=True) since pytorch 2.8.0 is to not perform validity checks for sparse tensors, and this needs to be enabled explicitly using the torch.sparse.check_sparse_tensor_invariants context manager.

The vulnerability is in the following code in vllm/entrypoints/renderer.py:148

    def _load_and_validate_embed(embed: bytes) -> EngineEmbedsPrompt:
        tensor = torch.load(
            io.BytesIO(pybase64.b64decode(embed, validate=True)),
            weights_only=True,
            map_location=torch.device("cpu"),
        )
        assert isinstance(tensor, torch.Tensor) and tensor.dtype in (
            torch.float32,
            torch.bfloat16,
            torch.float16,
        )
        tensor = tensor.to_dense()

Because of the missing checks, loading invalid prompt embedding tensors provided by the user can cause an out-of-bounds write in the call to to_dense .

Impact

All users with access to this API are able to exploit this vulnerability. Unsafe deserialization of untrusted input can be abused to achieve DoS and potentially remote code execution (RCE) in the vLLM server process. This impacts deployments running vLLM as a server or any instance that deserializes untrusted/model-provided payloads.

Fix

https://github.com/vllm-project/vllm/pull/27204

Acknowledgements

Finder: AXION Security Research Team (Omri Fainaro, Bary Levy): discovery and coordinated disclosure.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-62164

CVE-2025-62164:

8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
vllm	pip	>= 0.10.2, < 0.11.1	0.11.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the unsafe deserialization of user-provided tensor embeddings using torch.load. In PyTorch versions 2.8.0 and later, integrity checks for sparse tensors are disabled by default. This allows an attacker to craft a malicious sparse tensor that causes an out-of-bounds write when converted to a dense tensor via to_dense(), leading to a denial-of-service (crash) and potentially remote code execution.

The primary vulnerable function identified is CompletionRenderer.load_prompt_embeds in vllm/entrypoints/renderer.py. This function is responsible for handling the prompt_embeds parameter in the Completions API. The torch.load call occurs within a nested function, _load_and_validate_embed.

The analysis of the patch commit 58fab50d82838d5014f4a14d991fdb9352c9c84b reveals that the fix was not to add the missing validation (torch.sparse.check_sparse_tensor_invariants), but rather to disable the feature by default. The feature can only be re-enabled by explicitly setting the --enable-prompt-embeds flag.

The same commit also introduced a similar guard (--enable-mm-embeds) for functions handling image embeddings, specifically ChatParser.parse_image_embeds and AsyncChatParser.parse_image_embeds. This strongly suggests that the same deserialization vulnerability existed for multimodal embeddings, even though it was not explicitly mentioned in the initial vulnerability description. Therefore, these functions are also included as likely vulnerable.

Vulnerable functions

CompletionRenderer.load_prompt_embeds

vllm/entrypoints/renderer.py

This function processes base64-encoded prompt embeddings provided by the user. It uses `torch.load` within the nested `_load_and_validate_embed` function to deserialize the data. Due to a change in PyTorch 2.8.0, sparse tensor integrity checks are disabled by default. A malicious user can provide a crafted sparse tensor that, when `to_dense()` is called, causes an out-of-bounds memory write, leading to a denial-of-service or potential remote code execution. The patch mitigates this by requiring a flag (`--enable-prompt-embeds`) to be explicitly set to use this feature.

ChatParser.parse_image_embeds

vllm/entrypoints/chat_utils.py

This function processes user-provided image embeddings. Although the exact deserialization code is not in this function, the patch adds a guard (`--enable-mm-embeds`) that is consistent with the fix for the `prompt_embeds` vulnerability. This indicates that a similar unsafe deserialization vulnerability likely exists in the code path that processes these image embeddings, which is called from this function. The vulnerability pattern is the same: unsafe deserialization of user-controlled data leading to potential memory corruption.

AsyncChatParser.parse_image_embeds

vllm/entrypoints/chat_utils.py

This is the asynchronous version of `ChatParser.parse_image_embeds`. It shares the same vulnerability pattern. It processes user-provided image embeddings, and the patch adds a guard (`--enable-mm-embeds`) to disable this feature by default, suggesting that the underlying processing of these embeddings is vulnerable to the same unsafe deserialization issue as `prompt_embeds`.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-62164: vLLM deserialization vulnerability leading to DoS and potential RCE

Summary

Details

Impact

Fix

Acknowledgements

CVE-2025-62164:

8.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

CVE-2025-62164: vLLM deserialization vulnerability leading to DoS and potential RCE

Summary

Details

Impact

Fix

Acknowledgements

Basic Information

Basic Information

8.8

8.8

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI