apk package
chainguard/py3-vllm-cuda-12.4
pkg:apk/chainguard/py3-vllm-cuda-12.4
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-68131 | — | < 0.13.0-r1 | 0.13.0-r1 | Dec 31, 2025 | cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Starting in version 3.0.0 and prior to version 5.8.0, whhen a CBORDecoder instance is reused across multiple decode operations, values marked with the shareable tag (28) | ||
| CVE-2025-62593 | Cri | — | < 0.11.2-r1 | 0.11.2-r1 | Nov 26, 2025 | Ray is an AI compute engine. Prior to version 2.52.0, developers working with Ray as a development tool can be exploited via a critical RCE vulnerability exploitable via Firefox and Safari. This vulnerability is due to an insufficient guard against browser-based attacks, as the c | |
| CVE-2025-61620 | med | — | < 0.11.0-r2 | 0.11.0-r2 | Oct 7, 2025 | ### Summary A resource-exhaustion (denial-of-service) vulnerability exists in multiple endpoints of the OpenAI-Compatible Server due to the ability to specify Jinja templates via the `chat_template` and `chat_template_kwargs` parameters. If an attacker can supply these parameter | |
| CVE-2025-6242 | Hig | 7.1 | < 0.11.0-r2 | 0.11.0-r2 | Oct 7, 2025 | A Server-Side Request Forgery (SSRF) vulnerability exists in the MediaConnector class within the vLLM project's multimodal feature set. The load_from_url and load_from_url_async methods fetch and process media from user-provided URLs without adequate restrictions on the target ho | |
| CVE-2025-59425 | — | < 0.11.0-r2 | 0.11.0-r2 | Oct 7, 2025 | vLLM is an inference and serving engine for large language models (LLMs). Before version 0.11.0rc2, the API key support in vLLM performs validation using a method that was vulnerable to a timing attack. API key validation uses a string comparison that takes longer the more charac | ||
| CVE-2025-53643 | — | < 0.9.2-r1 | 0.9.2-r1 | Jul 14, 2025 | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed | ||
| CVE-2025-48379 | — | < 0.9.2-r0 | 0.9.2-r0 | Jul 1, 2025 | Pillow is a Python imaging library. In versions 11.2.0 to before 11.3.0, there is a heap buffer overflow when writing a sufficiently large (>64k encoded with default settings) image in the DDS format due to writing into a buffer without checking for available space. This only aff |
- CVE-2025-68131Dec 31, 2025affected < 0.13.0-r1fixed 0.13.0-r1
cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Starting in version 3.0.0 and prior to version 5.8.0, whhen a CBORDecoder instance is reused across multiple decode operations, values marked with the shareable tag (28)
- affected < 0.11.2-r1fixed 0.11.2-r1
Ray is an AI compute engine. Prior to version 2.52.0, developers working with Ray as a development tool can be exploited via a critical RCE vulnerability exploitable via Firefox and Safari. This vulnerability is due to an insufficient guard against browser-based attacks, as the c
- affected < 0.11.0-r2fixed 0.11.0-r2
### Summary A resource-exhaustion (denial-of-service) vulnerability exists in multiple endpoints of the OpenAI-Compatible Server due to the ability to specify Jinja templates via the `chat_template` and `chat_template_kwargs` parameters. If an attacker can supply these parameter
- affected < 0.11.0-r2fixed 0.11.0-r2
A Server-Side Request Forgery (SSRF) vulnerability exists in the MediaConnector class within the vLLM project's multimodal feature set. The load_from_url and load_from_url_async methods fetch and process media from user-provided URLs without adequate restrictions on the target ho
- CVE-2025-59425Oct 7, 2025affected < 0.11.0-r2fixed 0.11.0-r2
vLLM is an inference and serving engine for large language models (LLMs). Before version 0.11.0rc2, the API key support in vLLM performs validation using a method that was vulnerable to a timing attack. API key validation uses a string comparison that takes longer the more charac
- CVE-2025-53643Jul 14, 2025affected < 0.9.2-r1fixed 0.9.2-r1
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed
- CVE-2025-48379Jul 1, 2025affected < 0.9.2-r0fixed 0.9.2-r0
Pillow is a Python imaging library. In versions 11.2.0 to before 11.3.0, there is a heap buffer overflow when writing a sufficiently large (>64k encoded with default settings) image in the DDS format due to writing into a buffer without checking for available space. This only aff