CVE-2025-62372

Name: CVE-2025-62372
Creator: NVD / NIST
Published: 2025-11-21T02:15:43.393+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 8.3/10EPSS 0.33%

Last modified Jun 17, 2026

CVE-2025-62372 is a high-severity vulnerability rated 8.3/10 on the CVSS scale. vLLM is an inference and serving engine for large language models (LLMs). From version 0.5.5 to before 0.11.1, users can crash the vLLM engine serving multimodal models by passing multimodal embedding inputs with correct ndim but incorrect shape (e.g. EPSS estimates a 0.33% chance of exploitation in the next 30 days.

Description

vLLM is an inference and serving engine for large language models (LLMs). From version 0.5.5 to before 0.11.1, users can crash the vLLM engine serving multimodal models by passing multimodal embedding inputs with correct ndim but incorrect shape (e.g. hidden dimension is wrong), regardless of whether the model is intended to support such inputs (as defined in the Supported Models page). This issue has been patched in version 0.11.1.

Metrics

CVSS 3.1

6.5/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0

8.3/10

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS Probability

0.33%

24.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-129

Affected Software

Vendor	Product	Versions	Update
Vllm	Vllm	>= 0.5.5, < 0.11.1	—
Vllm	Vllm	0.11.1	Rc0

References

https://github.com/vllm-project/vllm/commit/58fab50d82838d5014f4a14d991fdb9352c9c84bPatch
https://github.com/vllm-project/vllm/pull/27204Issue Tracking, Patch, Vendor Advisory
https://github.com/vllm-project/vllm/pull/6613Issue Tracking
https://github.com/vllm-project/vllm/security/advisories/GHSA-pmqf-x6x8-p7qwMitigation, Vendor Advisory

Timeline

Published: Nov 21, 2025
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2025-62372?

How severe is CVE-2025-62372?

CVE-2025-62372 has a CVSS score of 8.3/10 (HIGH severity). The EPSS model estimates a 0.33% probability of exploitation in the next 30 days.

How do I fix CVE-2025-62372?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2025-62372?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST