PyPI: vllm
CVE-2026-54236
Safety vulnerability ID: SFTY-20260617-04058
Affected versions of the vLLM package are vulnerable to Information Disclosure due to inadequate sanitization of exception messages. The `api_router.py` and `connection.py` files contain exception handlers that directly echo `str(exc)` to clients without applying `sanitize_message`, allowing memory addresses to be included in error messages. An attacker can exploit this vulnerability by sending malformed image bytes that trigger exceptions, resulting in the leakage of heap addresses in the response body, significantly reducing ASLR entropy and potentially aiding in further attacks.
Overview
vLLM: incomplete CVE-2026-22778 fix leaks PIL repr addresses via Anthropic router
Advisory
vllm – Insertion of Sensitive Information into Log File
How to Fix
We recommend updating vllm to the latest non-vulnerable version.
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20260617-04058/CVE-2026-54236
- https://github.com/vllm-project/vllm/security/advisories/GHSA-hgg8-fqqc-vfmw
- https://github.com/vllm-project/vllm/pull/45119
- https://github.com/vllm-project/vllm/commit/94923629729381d7f7c9efde72071a2441f7fd82
- https://github.com/advisories/GHSA-hgg8-fqqc-vfmw
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more