{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-12T17:11:28.705","vulnerabilities":[{"cve":{"id":"CVE-2025-46722","sourceIdentifier":"security-advisories@github.com","published":"2025-05-29T17:15:21.523","lastModified":"2025-06-24T18:12:30.023","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"vLLM is an inference and serving engine for large language models (LLMs). In versions starting from 0.7.0 to before 0.9.0, in the file vllm/multimodal/hasher.py, the MultiModalHasher class has a security and data integrity issue in its image hashing method. Currently, it serializes PIL.Image.Image objects using only obj.tobytes(), which returns only the raw pixel data, without including metadata such as the image’s shape (width, height, mode). As a result, two images of different sizes (e.g., 30x100 and 100x30) with the same pixel byte sequence could generate the same hash value. This may lead to hash collisions, incorrect cache hits, and even data leakage or security risks. This issue has been patched in version 0.9.0."},{"lang":"es","value":"vLLM es un motor de inferencia y servicio para modelos de lenguaje grandes (LLM). En versiones desde la 0.7.0 hasta anteriores a la 0.9.0, en el archivo vllm/multimodal/hasher.py, la clase MultiModalHasher presenta un problema de seguridad e integridad de datos en su método de hash de imágenes. Actualmente, serializa los objetos PIL.Image.Image utilizando únicamente obj.tobytes(), que devuelve únicamente los datos de píxeles sin procesar, sin incluir metadatos como la forma de la imagen (ancho, alto, modo). Como resultado, dos imágenes de diferentes tamaños (p. ej., 30x100 y 100x30) con la misma secuencia de bytes de píxeles podrían generar el mismo valor hash. Esto puede provocar colisiones de hash, aciertos de caché incorrectos e incluso fugas de datos o riesgos de seguridad. Este problema se ha corregido en la versión 0.9.0."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:L","baseScore":4.2,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"LOW"},"exploitabilityScore":1.6,"impactScore":2.5},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","baseScore":7.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":3.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-1023"},{"lang":"en","value":"CWE-1288"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:vllm:vllm:*:*:*:*:*:*:*:*","versionStartIncluding":"0.7.0","versionEndExcluding":"0.9.0","matchCriteriaId":"08DBEEAC-7BAC-4A44-894B-5F544B5CF9D3"}]}]}],"references":[{"url":"https://github.com/vllm-project/vllm/commit/99404f53c72965b41558aceb1bc2380875f5d848","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/vllm-project/vllm/pull/17378","source":"security-advisories@github.com","tags":["Issue Tracking","Patch"]},{"url":"https://github.com/vllm-project/vllm/security/advisories/GHSA-c65p-x677-fgj6","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}}]}