Security Advisories
A list of vulnerabilities (CVE / GHSA) publicly disclosed by Tencent Zhuque Lab. View as JSONopen_in_new
bug_report
Vulnerabilities
67
deployed_code
Products
21
leaderboard
Severity Breakdown
-
open_in_newHigh CVE-2025-30202 CWE-770
Data exposure via ZeroMQ on multi-node vLLM deployment
deployed_code Affected: vllm >= 0.5.2, < 0.8.5 calendar_today Published: April 29, 2025 -
open_in_newCritical CVE-2025-32444 CWE-502
vLLM Vulnerable to Remote Code Execution via Mooncake Integration
deployed_code Affected: vllm >= 0.6.5, < 0.8.5 calendar_today Published: April 29, 2025 -
open_in_newMedium CVE-2025-46560 CWE-1333
phi4mm: Quadratic Time Complexity in Input Token Processing leads to denial of service
deployed_code Affected: vllm >= 0.8.0, < 0.8.5 calendar_today Published: April 29, 2025 -
open_in_newMedium CVE-2024-47829 CWE-328
pnpm uses the md5 path shortening function causes packet paths to coincide, which causes indirect packet overwriting
deployed_code Affected: pnpm < 10.0.0 calendar_today Published: April 23, 2025 -
open_in_newMedium CVE-2025-31486 CWE-200/CWE-284
`server.fs.deny` bypassed with `.svg` or relative paths
deployed_code Affected: vite >=6.2.0, <=6.2.4 >=6.1.0, <=6.1.3 >=6.0.0, <=6.0.13 >=5.0.0, <=5.4.16 <=4.5.11 calendar_today Published: April 03, 2025 -
open_in_newCritical CVE-2025-29783 CWE-502
vLLM Allows Remote Code Execution via Mooncake Integration
deployed_code Affected: vllm >= 0.6.5, < 0.8.0 calendar_today Published: March 19, 2025 -
open_in_newLow CVE-2024-53879 CWE-1284
NVIDIA CUDA Toolkit cuobjdump Malformed ELF Denial of Service
deployed_code Affected: CUDA Toolkit / cuobjdump <=12.8 calendar_today Published: February 25, 2025 -
open_in_newLow CVE-2025-25183 CWE-354
vLLM uses Python 3.12 built-in hash() which leads to predictable hash collisions in prefix cache
deployed_code Affected: vllm < 0.7.2 calendar_today Published: February 06, 2025 -
open_in_newMedium CVE-2024-55885 CWE-327/CWE-328
Beego has Collision Hazards of MD5 in Cache Key Filenames
deployed_code Affected: beego github.com/beego/beego/v2 (go): < 2.3.4; github.com/beego/beego (go): <= 1.12.14 calendar_today Published: December 12, 2024 -
open_in_newHigh CVE-2024-52804 CWE-400/CWE-770
Tornado has an HTTP cookie parsing DoS vulnerability
deployed_code Affected: tornado <= 6.4.1 calendar_today Published: November 22, 2024
Per page
