CVE-2025-62372: 
vLLM vulnerability analysis and mitigation

vLLM is an inference and serving engine for large language models (LLMs). From version 0.5.5 to before 0.11.1, users can crash the vLLM engine serving multimodal models by passing multimodal embedding inputs with correct ndim but incorrect shape (e.g. hidden dimension is wrong), regardless of whether the model is intended to support such inputs. The vulnerability was discovered and disclosed on November 20, 2025, and has been assigned CVE-2025-62372 (GitHub Advisory).

The vulnerability stems from insufficient validation of multimodal embedding inputs. The engine only validates the number of dimensions (ndim) of the tensor but not the full shape in the MultiModalDataParser. This leads to two failure scenarios: 1) For models supporting image embedding inputs, the engine crashes when scattering embeddings to inputsembeds due to mismatched shapes, and 2) For models not supporting image embedding inputs, the engine crashes during input validation inside getinput_embeddings. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Moderate) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (GitHub Advisory).

The vulnerability allows attackers to cause denial of service by crashing the vLLM engine through malformed multimodal embedding inputs. This affects the availability of the model serving infrastructure (GitHub Advisory).

Prior to updating, users can mitigate the vulnerability by: 1) Using API keys to limit access to trusted users only, or 2) Setting --limit-mm-per-prompt to 0 for all non-text modalities to ban multimodal inputs, though this defeats the purpose of using multimodal models. The vulnerability has been patched in version 0.11.1 (GitHub Advisory).

The vulnerability was responsibly disclosed and patched through a coordinated effort between the reporter DarkLight1337 and reviewers ywang96 and Isotr0py. The fix was implemented through PR #27204 which introduced additional validation flags for loading text and image embeddings (GitHub PR).