CVE-2025-61620: 
Chainguard vulnerability analysis and mitigation

A resource-exhaustion (denial-of-service) vulnerability exists in vLLM's OpenAI-Compatible Server, identified as CVE-2025-61620. The vulnerability was discovered and disclosed on October 7, 2025, affecting vLLM versions >= 0.5.1 and < 0.11.0. The issue stems from improper handling of Jinja templates via the chat_template and chat_template_kwargs parameters in the server implementation (Miggo Database).

The vulnerability has been assigned a CVSS v3.1 score of 6.5 with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The issue occurs in the chat completion functionality where the server accepts user-supplied Jinja templates through both chat_template parameter and chat_template_kwargs. The implementation allows dictionary updates via dict.update, which can enable attackers to overwrite existing template configurations. The vulnerability is tracked under GHSA-6fvq-23cw-5628 and is categorized as CWE-400 (Miggo Database, Red Hat Security).

When exploited, this vulnerability can lead to a denial-of-service condition by exhausting CPU and memory resources through maliciously crafted Jinja templates. The impact is particularly severe as it can render the server unresponsive to legitimate requests, affecting the availability of applications using vLLM. The vulnerability requires authenticated access or the ability to supply templates to the vLLM server (Red Hat Security).

The vulnerability has been patched in vLLM version 0.11.0. The fix includes the introduction of a trust_request_chat_template flag and a new resolve_chat_template_kwargs function to sanitize keyword arguments. Organizations are advised to upgrade to the patched version. The fix is available through GitHub pull request #25794 (Miggo Database).