6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-62372

GHSA ID

GHSA-pmqf-x6x8-p7qw

EPSS Score

CWE

CWE-129

Published

11/20/2025

Updated

11/20/2025

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-62372

CVE-2025-62372: vLLM vulnerable to DoS with incorrect shape of multimodal embedding inputs

Summary

Users can crash the vLLM engine serving multimodal models by passing multimodal embedding inputs with correct ndim but incorrect shape (e.g. hidden dimension is wrong), regardless of whether the model is intended to support such inputs (as defined in the Supported Models page).

The issue has existed ever since we added support for image embedding inputs, i.e. #6613 (released in v0.5.5)

Details

Using image embeddings as an example:

For models that support image embedding inputs, the engine crashes when scattering the embeddings to inputs_embeds (mismatched shape)
For models that don't support image embedding inputs, the engine crashes when validating the inputs inside get_input_embeddings (validation fails).

This happens because we only validate ndim of the tensor, but not the full shape, in input processor (via MultiModalDataParser).

Impact

Denial of service by crashing the engine

Mitigation

Use API key to limit access to trusted users.
Set --limit-mm-per-prompt to 0 for all non-text modalities to ban multimodal inputs, which includes multimodal embedding inputs. However, the model would then only accept text, defeating the purpose of using a multi-modal model.

Resolution

https://github.com/vllm-project/vllm/pull/27204

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-62372

CVE-2025-62372:

6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-62372

GHSA ID

GHSA-pmqf-x6x8-p7qw

EPSS Score

CWE

CWE-129

Published

11/20/2025

Updated

11/20/2025

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
vllm	pip	>= 0.5.5, < 0.11.1	0.11.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a Denial of Service (DoS) in vLLM's processing of multimodal and text embeddings. The root cause is the insufficient validation of the shape of user-provided embedding tensors. An attacker can provide an embedding with a correct number of dimensions (ndim) but an incorrect shape (e.g., wrong hidden dimension size), which causes the vLLM engine to crash when it attempts to process the tensor.

The vulnerability manifests in several functions that act as entrypoints for processing embeddings:

MultiModalProcessor._to_mm_items: This function orchestrates the processing of multi_modal_data. It calls MultiModalDataParser, which fails to validate the full tensor shape.
ImageContentParser.parse_image_embeds (and its async counterpart): These functions handle image embeddings within the chat API, passing them down to the vulnerable processing logic.
BaseRenderer.load_prompt_embeds: This function handles text embeddings (prompt_embeds), which are also susceptible to the same shape validation flaw.

The provided patch does not fix the underlying shape validation issue. Instead, it acts as a mitigation by introducing flags (--enable-mm-embeds and --enable-prompt-embeds) that are disabled by default. The vulnerable functions are modified to check for these flags before processing any embeddings. Therefore, the identified functions are the exact locations in the code where the vulnerable logic path begins. Before the patch, these functions would unconditionally process user-provided embeddings, making them the starting point of the exploit.

Vulnerable functions

MultiModalProcessor._to_mm_items

vllm/multimodal/processing.py

This function is the entrypoint for processing multimodal data. Before the patch, it would call `self.data_parser.parse_mm_data` which, according to the vulnerability description, does not properly validate the shape of embedding tensors. This allows an attacker to pass a malformed tensor, causing a denial of service. The patch mitigates this by adding a check to ensure multimodal embeddings are explicitly enabled.

ImageContentParser.parse_image_embeds

vllm/entrypoints/chat_utils.py

This function parses image embeddings from chat messages. Prior to the patch, it would process these embeddings without checking if the feature was enabled. An attacker could provide embeddings with an incorrect shape, leading to a crash. The patch adds a guard to prevent this unless the feature is explicitly enabled via `--enable-mm-embeds`.

AsyncImageContentParser.parse_image_embeds

vllm/entrypoints/chat_utils.py

This is the asynchronous version of `ImageContentParser.parse_image_embeds` and is vulnerable for the same reason. It handles image embeddings from chat messages in an asynchronous context and, before the patch, lacked the necessary guards to prevent processing of malformed embeddings.

BaseRenderer.load_prompt_embeds

vllm/entrypoints/renderer.py

This function is responsible for loading text embeddings (`prompt_embeds`). The vulnerability is not limited to multimodal inputs, as confirmed by the patch. Before the fix, this function would load and process user-supplied embeddings without them being explicitly enabled, creating a denial-of-service vector if the embedding shape was malformed. The patch mitigates this by adding a check for the `enable_prompt_embeds` flag.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-62372: vLLM vulnerable to DoS with incorrect shape of multimodal embedding inputs

Summary

Details

Impact

Mitigation

Resolution

CVE-2025-62372:

6.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

CVE-2025-62372: vLLM vulnerable to DoS with incorrect shape of multimodal embedding inputs

Summary

Details

Impact

Mitigation

Resolution

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

6.5

6.5

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI