GHSA-mcmc-2m55-j8jj: vLLM introduced enhanced protection for CVE-2025-62164

January 8, 2026

The fix here for CVE-2025-62164 is not sufficient. The fix only disables prompt embeds by default rather than addressing the root cause, so the DoS vulnerability remains when the feature is enabled.

References

github.com/advisories/GHSA-mcmc-2m55-j8jj
github.com/vllm-project/vllm
github.com/vllm-project/vllm/pull/30649
github.com/vllm-project/vllm/security/advisories/GHSA-mcmc-2m55-j8jj

Code Behaviors & Features

Detect and mitigate GHSA-mcmc-2m55-j8jj with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →