Serious vLLM Vulnerability Exposes AI Systems to Remote Attacks

A newly identified vulnerability in vLLM poses significant risks to AI systems, allowing attackers to crash servers or execute arbitrary code through malicious prompt embeddings. This flaw, documented under the identifier CVE-2025-62164, affects all versions of vLLM starting from 0.10.2, putting numerous production AI deployments at immediate risk.

According to researchers from Wiz Security, the vulnerability allows any user with access to the Completions API to potentially achieve denial-of-service (DoS) and remote code execution. This risk is alarming given the increasing reliance on AI for critical applications across various industries.

Understanding the Vulnerability in vLLM

The root cause of this vulnerability lies in the way vLLM processes user-supplied prompt embeddings. Intended to enhance functionality, this feature allows advanced applications to pass precomputed vectors directly to the AI model. When a client sends an embedding to the Completions API, vLLM attempts to reconstruct the tensor by deserializing the Base64-encoded payload using PyTorch’s torch.load() function.

The vulnerability emerges in the code located in entrypoints/renderer.py. Here, vLLM decodes the Base64-encoded embedding and deserializes it using torch.load(). Following this, the server converts the tensor to a dense tensor with to_dense(), all without performing any safety checks. This oversight means that any maliciously crafted payload can bypass the deserialization step, leading to potential memory corruption during the densification process.

Consequences of the Flaw and Mitigation Strategies

The implications of this vulnerability are severe. Depending on the specifics of the malicious payload, the out-of-bounds write can result in server crashes and DoS conditions if critical execution memory is compromised. More sophisticated attacks could enable arbitrary code execution by manipulating memory regions that control program flow. This vulnerability also raises concerns about lateral compromises within the AI stack, as vLLM often operates alongside sensitive components like GPUs and proprietary data.

To address this critical flaw, security teams are advised to take several key steps. First, organizations should upgrade to the patched versions of vLLM and implement PyTorch’s sparse tensor integrity checks to prevent unsafe deserialization. Additionally, restricting and authenticating access to the Completions API is crucial. This includes removing public exposure and enforcing strong authentication measures.

Validating and filtering all prompt embeddings through an API gateway or web application firewall (WAF) can help block malformed or untrusted tensors before they reach vLLM. Isolating vLLM in secure environments, such as dedicated containers or virtual machines, with a focus on least privilege, segmentation, and non-privileged service accounts, is also recommended.

Monitoring and logging for indicators of exploitation, such as crashes and abnormal behavior, will enhance security. Strengthening runtime and infrastructure security by applying techniques such as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) can further mitigate risks.

The discovery of this vulnerability highlights a broader trend in AI security, where the attack surface extends beyond the models themselves to include the underlying frameworks and libraries. As organizations integrate more large language model (LLM)-powered capabilities, weaknesses in systems like vLLM and PyTorch become attractive targets for malicious actors. This incident underscores how changes in foundational libraries, such as PyTorch disabling integrity checks, can create significant security gaps.

As AI infrastructure grows more interconnected and modular, the importance of comprehensive input validation and timely patching cannot be overstated. Organizations must remain vigilant to ensure that even minor flaws do not escalate into significant compromises.