Bug 2397234 (CVE-2025-59425)

Summary: CVE-2025-59425 vllm: Timing Attack in vLLM API Token Verification Leading to Authentication Bypass
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: alinfoot, bbrownin, dtrifiro, rbryant, security-response-team, weaton
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in vLLM’s API token authentication logic, where token comparisons were not performed in constant time. This weakness could allow an attacker to exploit timing differences to guess valid tokens and bypass authentication.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2025-09-23   

Description OSIDB Bzimport 2025-09-22 06:55:51 UTC 
A timing side-channel vulnerability was identified in vLLM’s API token verification logic. The comparison of API tokens was not performed in constant time, which could allow an attacker to measure subtle differences in response times to infer valid tokens. Exploitation of this flaw could enable authentication bypass, granting unauthorized access to APIs and sensitive resources. 
Affected Versions: vLLM ≤ 0.10.2 
Fixed Version: vLLM 0.10.3