CVE-2025-62164 affects the vLLM project, an inference and serving engine for large language models, specifically versions from 0.10.2 up to but not including 0.11.1. The vulnerability stems from improper input validation and unsafe deserialization of user-supplied prompt embeddings in the Completions API endpoint. The endpoint uses torch.load() to deserialize tensors without sufficient validation. Starting with PyTorch 2.8.0, sparse tensor integrity checks are disabled by default, which allows maliciously crafted sparse tensors to bypass internal bounds checks. When the vulnerable code calls to_dense() on these tensors, an out-of-bounds memory write can occur, leading to memory corruption. This can cause the vLLM process to crash, resulting in denial-of-service, or potentially enable remote code execution on the host server. The vulnerability is exploitable remotely over the network with low privileges and does not require user interaction, increasing its risk profile. The issue has been addressed in vLLM version 0.11.1 by restoring proper validation and handling of sparse tensors during deserialization. No known exploits have been reported in the wild yet, but the high CVSS score of 8.8 reflects the critical impact and ease of exploitation. The vulnerability involves multiple CWEs: CWE-20 (Improper Input Validation), CWE-123 (Write-What-Where Condition), CWE-502 (Deserialization of Untrusted Data), and CWE-787 (Out-of-bounds Write).

For European organizations, this vulnerability poses significant risks to the confidentiality, integrity, and availability of AI inference services relying on vLLM. Exploitation could allow attackers to execute arbitrary code on servers hosting vLLM, potentially leading to data breaches, unauthorized access to sensitive AI models or data, and disruption of AI-powered services. Organizations using vLLM in cloud or on-premises environments for critical AI workloads may face service outages or compromise of intellectual property. The vulnerability's network accessibility and lack of user interaction requirements increase the attack surface, especially for publicly exposed API endpoints. Given the growing adoption of AI technologies across Europe in sectors such as finance, healthcare, and manufacturing, the impact could extend to critical infrastructure and sensitive data processing. The absence of known exploits currently provides a window for proactive mitigation, but the high severity demands urgent attention.

1. Immediately upgrade all vLLM deployments to version 0.11.1 or later, where the vulnerability is patched. 2. Restrict access to the Completions API endpoint by implementing strong authentication and network segmentation, limiting API calls to trusted users and internal networks only. 3. Employ input validation and sanitization at the application layer to detect and reject malformed or suspicious tensor data before deserialization. 4. Monitor API usage logs for anomalous or unexpected requests that could indicate exploitation attempts. 5. If upgrading is not immediately feasible, consider disabling or restricting the use of the Completions API endpoint to reduce exposure. 6. Review and update incident response plans to include detection and mitigation steps for potential exploitation of deserialization vulnerabilities. 7. Coordinate with cloud providers or third-party vendors to ensure patched versions are deployed in managed environments. 8. Stay informed on threat intelligence updates regarding any emerging exploits targeting this vulnerability.