CVE-2025-1953 — LOW (CVSS 2.6) AI Security Vulnerability

CISO Take

Low-severity cryptographic weakness in AIBrix's prefix cache indexer allows adjacent-network attackers to predict cache keys and infer prompt patterns processed by the LLM inference layer. Exploitation requires existing low-level network access and high complexity, making opportunistic attacks unlikely. Upgrade to AIBrix 0.3.0 immediately if running this component in multi-tenant or shared inference infrastructure.

Severity & Risk

CVSS 3.1

2.6 / 10

EPSS

N/A

KEV Status

Not in KEV

Sophistication

Advanced

Recommended Action

1. **Patch**: Upgrade AIBrix to v0.3.0 (fixes randomness in prefix cache hash generation per PR #752). 2. **Network isolation**: Ensure vLLM inference nodes are firewalled to trusted segments only; block lateral access from non-inference workloads. 3. **Least privilege**: Audit who holds low-level access to inference infrastructure network segments. 4. **Detection**: Monitor for anomalous cache-related query patterns or repeated hash-probing behavior in gateway logs. 5. **Workaround if unpatched**: Disable prefix caching in AIBrix config until upgrade is applied.

Classification

Data Leakage Privacy Violation Inference Framework AML.T0024 - Exfiltration via AI Inference API AML.T0040 - AI Model Inference API Access AML.T0063 - Discover AI Model Outputs

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.3 - AI system security controls

NIST AI RMF

MANAGE-2.2 - Risks and benefits of AI systems are evaluated and managed

OWASP LLM Top 10

LLM06 - Sensitive Information Disclosure

Technical Details

NVD Description

A vulnerability has been found in vLLM AIBrix 0.2.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file pkg/plugins/gateway/prefixcacheindexer/hash.go of the component Prefix Caching. The manipulation leads to insufficiently random values. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 0.3.0 is able to address this issue. It is recommended to upgrade the affected component.

Exploitation Scenario

An adversary with low privileges on the same network segment as the AIBrix gateway (e.g., a compromised sidecar container or co-located microservice) probes the prefix cache indexer by sending crafted inference requests. Due to weak randomness in the hash function, they can predict or enumerate cache key collisions, determining which prompt prefixes are actively cached. In a multi-tenant SaaS LLM deployment, this could allow one tenant to infer prompt prefix patterns used by other tenants, leaking system prompt structures or repeated input templates. The high attack complexity means this requires knowledge of the AIBrix caching implementation and controlled network positioning.

Weaknesses (CWE)

CWE-310 CWE-330

CVSS Vector

CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

References

Timeline

Published

March 4, 2025

Last Modified

March 4, 2025

First Seen

March 4, 2025