VYPR

apk package

chainguard/py3-vllm-cuda-12.4

pkg:apk/chainguard/py3-vllm-cuda-12.4

Vulnerabilities (7)

  • CVE-2025-68131Dec 31, 2025
    affected < 0.13.0-r1fixed 0.13.0-r1

    cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Starting in version 3.0.0 and prior to version 5.8.0, whhen a CBORDecoder instance is reused across multiple decode operations, values marked with the shareable tag (28)

  • CVE-2025-62593CriNov 26, 2025
    affected < 0.11.2-r1fixed 0.11.2-r1

    Ray is an AI compute engine. Prior to version 2.52.0, developers working with Ray as a development tool can be exploited via a critical RCE vulnerability exploitable via Firefox and Safari. This vulnerability is due to an insufficient guard against browser-based attacks, as the c

  • CVE-2025-61620medOct 7, 2025
    affected < 0.11.0-r2fixed 0.11.0-r2

    ### Summary A resource-exhaustion (denial-of-service) vulnerability exists in multiple endpoints of the OpenAI-Compatible Server due to the ability to specify Jinja templates via the `chat_template` and `chat_template_kwargs` parameters. If an attacker can supply these parameter

  • CVE-2025-6242HigOct 7, 2025
    affected < 0.11.0-r2fixed 0.11.0-r2

    A Server-Side Request Forgery (SSRF) vulnerability exists in the MediaConnector class within the vLLM project's multimodal feature set. The load_from_url and load_from_url_async methods fetch and process media from user-provided URLs without adequate restrictions on the target ho

  • CVE-2025-59425Oct 7, 2025
    affected < 0.11.0-r2fixed 0.11.0-r2

    vLLM is an inference and serving engine for large language models (LLMs). Before version 0.11.0rc2, the API key support in vLLM performs validation using a method that was vulnerable to a timing attack. API key validation uses a string comparison that takes longer the more charac

  • CVE-2025-53643Jul 14, 2025
    affected < 0.9.2-r1fixed 0.9.2-r1

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed

  • CVE-2025-48379Jul 1, 2025
    affected < 0.9.2-r0fixed 0.9.2-r0

    Pillow is a Python imaging library. In versions 11.2.0 to before 11.3.0, there is a heap buffer overflow when writing a sufficiently large (>64k encoded with default settings) image in the DDS format due to writing into a buffer without checking for available space. This only aff