vLLM is vulnerable to timing attack at bearer auth

GHSA-wr9h-g72x-mwhm · CVE-2025-59425

Published Oct 7, 2025 · Modified Feb 4, 2026

Description

Summary

The API key support in vLLM performed validation using a method that was vulnerable to a timing attack. This could potentially allow an attacker to discover a valid API key using an approach more efficient than brute force.

Details

https://github.com/vllm-project/vllm/blob/4b946d693e0af15740e9ca9c0e059d5f333b1083/vllm/entrypoints/openai/api_server.py#L1270-L1274

API key validation used a string comparison that will take longer the more characters the provided API key gets correct. Data analysis across many attempts can allow an attacker to determine when it finds the next correct character in the key sequence.

Impact

Deployments relying on vLLM's built-in API key validation are vulnerable to authentication bypass using this technique.

References

WEB https://github.com/vllm-project/vllm/security/advisories/GHSA-wr9h-g72x-mwhm
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-59425
WEB https://github.com/vllm-project/vllm/commit/ee10d7e6ff5875386c7f136ce8b5f525c8fcef48
PACKAGE https://github.com/vllm-project/vllm
WEB https://github.com/vllm-project/vllm/blob/4b946d693e0af15740e9ca9c0e059d5f333b1083/vllm/entrypoints/openai/api_server.py#L1270-L1274
WEB https://github.com/vllm-project/vllm/releases/tag/v0.11.0

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes