CVE-2025-62164

CVE-2025-62164 is a memory corruption vulnerability affecting vLLM, an inference and serving engine for large language models, in versions 0.10.2 through 0.11.0. The issue resides in the Completions API endpoint, which processes user-supplied prompt embeddings by loading serialized tensors via torch.load() without adequate validation. A change in PyTorch 2.8.0 disables sparse tensor integrity checks by default, allowing maliciously crafted tensors to bypass internal bounds checks and trigger an out-of-bounds memory write during the to_dense() call.

Attackers with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), as indicated by its CVSS v3.1 base score of 8.8. By submitting specially crafted prompt embeddings to the Completions API endpoint, an attacker can cause a denial-of-service crash or potentially achieve remote code execution on the hosting server, with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). The vulnerability maps to CWEs including CWE-20 (Improper Input Validation), CWE-123 (Write-what-where Condition), CWE-502 (Deserialization of Untrusted Data), and CWE-787 (Out-of-bounds Write).

The vLLM project has patched this issue in version 0.11.1. Mitigation details are available in the project's security advisory (GHSA-mrw7-hf4f-83pf), the fixing pull request (#27204), and the commit (58fab50d82838d5014f4a14d991fdb9352c9c84b) that adds validation to prevent the exploitation of malformed sparse tensors.

This vulnerability is particularly relevant to AI/ML deployments, as vLLM is designed for serving LLMs, potentially exposing production inference servers to risks from untrusted inputs. No public reports of real-world exploitation are noted in the available information.