CVE-2025-9900: vLLM — HIGH

A flaw was found in Libtiff. This vulnerability is a "write-what-where" condition, triggered when the library processes a specially crafted TIFF image file. By providing an abnormally large image height value in the file's metadata, an attacker can trick the library into writing...

Full CISO analysis pending enrichment.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
vLLM	pip	—	No patch
83.4K 130 dependents Pushed 4d ago 33% patched ~32d to patch Full package profile →
vLLM	pip	—	No patch
83.4K 130 dependents Pushed 4d ago 33% patched ~32d to patch Full package profile →
compat-libtiff3	—	—	No patch
discovery/discovery-ui-rhel9	—	—	No patch
libtiff	—	—	No patch
libtiff-main	—	—	No patch
mingw-libtiff	—	—	No patch
rhaiis/model-opt-cuda-rhel9	—	—	No patch
spice-client-win	—	—	No patch

How severe is it?

CVSS 3.1

8.8 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

N/A

What is the attack surface?

AV Network

AC Low

PR None

UI Required

S Unchanged

C High

I High

A High

What should I do?

No patch available

Monitor for updates. Consider compensating controls or temporary mitigations.

Which compliance frameworks are affected?

Compliance analysis pending. Sign in for full compliance mapping when available.

Frequently Asked Questions

What is CVE-2025-9900?

A flaw was found in Libtiff. This vulnerability is a "write-what-where" condition, triggered when the library processes a specially crafted TIFF image file. By providing an abnormally large image height value in the file's metadata, an attacker can trick the library into writing attacker-controlled color data to an arbitrary memory location. This memory corruption can be exploited to cause a denial of service (application crash) or to achieve arbitrary code execution with the permissions of the user.

Is CVE-2025-9900 actively exploited?

No confirmed active exploitation of CVE-2025-9900 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-9900?

No patch is currently available. Monitor vendor advisories for updates.

What is the CVSS score for CVE-2025-9900?

CVE-2025-9900 has a CVSS v3.1 base score of 8.8 (HIGH).

What are the technical details?

Original Advisory

A flaw was found in Libtiff. This vulnerability is a "write-what-where" condition, triggered when the library processes a specially crafted TIFF image file. By providing an abnormally large image height value in the file's metadata, an attacker can trick the library into writing attacker-controlled color data to an arbitrary memory location. This memory corruption can be exploited to cause a denial of service (application crash) or to achieve arbitrary code execution with the permissions of the user.

Weaknesses (CWE)

CWE-123 Write-what-where Condition

CWE-123 — Write-what-where Condition: Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow.

[Architecture and Design] Use a language that provides appropriate memory abstractions.
[Operation] Use OS-level preventative functionality integrated after the fact. Not a complete solution.

Source: MITRE CWE corpus.