vLLM Vulnerability Enables Remote Code Execution Through Malicious Payloads

A critical vulnerability has been discovered in vLLM, a widely used high-throughput inference and serving engine for Large Language Models.

The flaw, identified as CVE-2025-62164, enables attackers to execute arbitrary code remotely through maliciously crafted payloads sent to the Completions API endpoint.

With a CVSS score of 8.8 out of 10, this high-severity vulnerability poses an immediate threat to organizations deploying vLLM in production environments.

The vulnerability affects vLLM versions 0.10.2 and later, stemming from improper handling of user-supplied prompt embeddings.

When processing these embeddings, the system deserializes tensors using PyTorch’s torch.load() function without adequate validation checks.

This oversight creates a dangerous attack vector that malicious actors can readily exploit to compromise hosting environments.

Memory Corruption Vulnerability Threatens vLLM Deployments

The root cause of this vulnerability lies in a behavioral change introduced in PyTorch 2.8.0, which disabled sparse tensor integrity checks by default.

This configuration allows attackers to craft malicious tensors that bypass internal bounds checks. When these compromised tensors are processed by the to_dense() function, they trigger an out-of-bounds memory write, corrupting the application’s memory space and enabling code execution.

Security researchers from AXION Security Research Team, specifically Omri Fainaro and Bary Levy, discovered this vulnerability through coordinated disclosure efforts.

Their findings reveal that any user with API access can exploit this weakness to achieve two significant impacts: denial-of-service attacks that crash the vLLM server and remote code execution that compromises the entire hosting environment.

The vulnerability resides in the _load_and_validate_embed function within vllm/entrypoints/renderer.py, where missing validation allows unsafe deserialization of untrusted input.

The function accepts base64-encoded tensors from users but fails to enable PyTorch’s torch.sparse.check_sparse_tensor_invariants context manager, which would usually prevent such attacks.

Attribute	Details
CVE ID	CVE-2025-62164
Severity	High
CVSS Score	8.8/10
Affected Product	vLLM (pip)
Affected Versions	≥ 0.10.2
Attack Vector	Network (Completions API endpoint)
Weakness Categories	Improper Input Validation, Unsafe Deserialization, Out-of-Bounds Write, Write-What-Where Condition
Primary Impact	Remote Code Execution, Denial of Service
Discovery Team	AXION Security Research Team (Omri Fainaro, Bary Levy)

The Common Vulnerability Scoring System assigns this flaw a score of 8.8 out of 10, classifying it as high severity.

The vulnerability encompasses multiple weakness categories, including improper input validation, deserialization of untrusted data, write-what-where conditions, and out-of-bounds write operations all critical factors that elevate the risk profile of this flaw.

The vLLM development team has addressed this security issue through pull request #27204, which implements proper tensor validation before deserialization.

Organizations running vLLM as a server or processing untrusted model-provided payloads should immediately apply the available patch to protect their deployments from potential exploitation.

Security teams should prioritize updating vLLM instances to patched versions and implementing network-level controls to restrict API access to trusted sources.

Additionally, organizations should monitor vLLM logs for suspicious tensor-based payloads and consider implementing request validation mechanisms at the API gateway level.

Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates

The post vLLM Vulnerability Enables Remote Code Execution Through Malicious Payloads appeared first on Cyber Security News.