CVE-2025-62164

vLLM is an inference and serving engine for large language models (LLMs). From versions 0.10.2 to before 0.11.1, a memory corruption vulnerability could lead to a crash (denial-of-service) and potentially remote code execution (RCE), exists in the Completions API endpoint. When processing user-supplied prompt embeddings, the endpoint loads serialized tensors using torch.load() without sufficient validation. Due to a change introduced in PyTorch 2.8.0, sparse tensor integrity checks are disabled by default. As a result, maliciously crafted tensors can bypass internal bounds checks and trigger an out-of-bounds memory write during the call to to_dense(). This memory corruption can crash vLLM and potentially lead to code execution on the server hosting vLLM. This issue has been patched in version 0.11.1.

An attacker obtains low-privilege API credentials to a vLLM-powered inference service (e.g., through credential stuffing, a leaked API key, or a free-tier account on a SaaS platform). They craft a malicious PyTorch sparse tensor with manipulated metadata — specifically, crafting sparse index/value buffers that violate internal bounds assumptions. With PyTorch 2.8.0+, the integrity checks that would catch this are disabled by default. The attacker serializes the tensor using Python's pickle format (torch.load's default), encodes it in a Completions API request as a prompt embedding, and submits it to vLLM's endpoint. When vLLM calls to_dense() on the tensor, the out-of-bounds write corrupts server memory. In a DoS scenario this crashes the process immediately. In an RCE scenario, a skilled attacker could use the write-what-where primitive (CWE-123) to overwrite function pointers or return addresses, achieving code execution on the inference host — potentially gaining access to model weights, training data, API keys stored in environment variables, and the broader server environment.