CVE-2025-61620: 
Chainguard vulnerability analysis and mitigation

A resource-exhaustion (denial-of-service) vulnerability exists in vLLM's OpenAI-Compatible Server, identified as CVE-2025-61620. The vulnerability was discovered and disclosed on October 7, 2025, affecting vLLM versions >= 0.5.1 and < 0.11.0. The issue stems from improper handling of Jinja templates via the chattemplate and chattemplate_kwargs parameters in the server implementation (Miggo Database).

The vulnerability has been assigned a CVSS v3.1 score of 6.5 with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The issue occurs in the chat completion functionality where the server accepts user-supplied Jinja templates through both chattemplate parameter and chattemplate_kwargs. The implementation allows dictionary updates via dict.update, which can enable attackers to overwrite existing template configurations. The vulnerability is tracked under GHSA-6fvq-23cw-5628 and is categorized as CWE-400 (Miggo Database, Red Hat Security).

When exploited, this vulnerability can lead to a denial-of-service condition by exhausting CPU and memory resources through maliciously crafted Jinja templates. The impact is particularly severe as it can render the server unresponsive to legitimate requests, affecting the availability of applications using vLLM. The vulnerability requires authenticated access or the ability to supply templates to the vLLM server (Red Hat Security).

The vulnerability has been patched in vLLM version 0.11.0. The fix includes the introduction of a trustrequestchattemplate flag and a new resolvechattemplatekwargs function to sanitize keyword arguments. Organizations are advised to upgrade to the patched version. The fix is available through GitHub pull request #25794 (Miggo Database).