CVE-2025-48956: vLLM is an inference and serving engine for large language models (LLMs). From 0.1.0 to before 0.10.1.1, a Denial of Ser
Summary
CVE-2025-48956 is a Denial of Service vulnerability (a type of attack that makes a service unavailable) in vLLM, an inference and serving engine for large language models. Versions 0.1.0 through 0.10.1.0 are vulnerable to crashing when someone sends an HTTP GET request with an extremely large header, which exhausts the server's memory. This attack requires no authentication, so anyone on the internet can trigger it.
Solution / Mitigation
This vulnerability is fixed in vLLM version 0.10.1.1. Users should upgrade to this version or later.
Vulnerability Details
7.5(high)
EPSS: 0.3%
Classification
Affected Vendors
Related Issues
CVE-2022-29200: TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implem
CVE-2021-29541: TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a dereference of a null p
Original source: https://nvd.nist.gov/vuln/detail/CVE-2025-48956
First tracked: February 15, 2026 at 08:44 PM
Classified by LLM (prompt v3) · confidence: 95%