PyPI: vllm
CVE-2025-59425
Safety vulnerability ID: SFTY-20251007-18618
Safety legacy ID: pyup.io-80182
Affected versions of the Mura package are vulnerable to Cross-site Scripting (XSS) due to improper sanitization of user-supplied input in the moduleid parameter within the admin interface. The vulnerable component fails to escape HTML special characters before rendering the parameter value in the management panel, allowing arbitrary JavaScript execution in the victim’s browser.
Overview
vLLM is vulnerable to timing attack at bearer auth
Advisory
Affected versions of the Mura package are vulnerable to Cross-site Scripting (XSS) due to improper sanitization of user-supplied input in the moduleid parameter within the admin interface. The vulnerable component fails to escape HTML special characters before rendering the parameter value in the management panel, allowing arbitrary JavaScript execution in the victim’s browser.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20251007-18618/CVE-2025-59425
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59425
- https://github.com/advisories/GHSA-wr9h-g72x-mwhm
- https://github.com/vllm-project/vllm/commit/ee10d7e6ff5875386c7f136ce8b5f525c8fcef48
- https://github.com/vllm-project/vllm/security/advisories/GHSA-wr9h-g72x-mwhm
- https://nvd.nist.gov/vuln/detail/CVE-2025-59425
- https://github.com/vllm-project/vllm/commit/ee10d7e6ff5875386c7f136ce8b5f525c8fcef48
- https://github.com/vllm-project/vllm/blob/4b946d693e0af15740e9ca9c0e059d5f333b1083/vllm/entrypoints/openai/api_server.py#L1270-L1274
- https://github.com/vllm-project/vllm/releases/tag/v0.11.0
- https://github.com/advisories/GHSA-wr9h-g72x-mwhm
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more