AVID-2026-R1653

Description

vLLM AIBrix Prefix Caching hash.go random values (CVE-2025-1953)

Details

A vulnerability has been found in vLLM AIBrix 0.2.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file pkg/plugins/gateway/prefixcacheindexer/hash.go of the component Prefix Caching. The manipulation leads to insufficiently random values. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 0.3.0 is able to address this issue. It is recommended to upgrade the affected component.

Reason for inclusion in AVID: CVE-2025-1953 documents a vulnerability in the vLLM AIBrix component (prefix caching) involving insufficiently random values in a hashing function. This affects a software component used in AI serving/Inference stacks, i.e., part of AI systems infrastructure. It is a software vulnerability (CWE-330/310) with remediation provided (upgrade to 0.3.0). The issue concerns components used to build/deploy AI systems, thus relevant to AI supply chains. Evidence includes version impact, remediation, and references (NVD, GitHub discussions/PRs).

References

• NVD entry
• https://vuldb.com/?id.298543
• https://vuldb.com/?ctiid.298543
• https://vuldb.com/?submit.509958
• https://github.com/vllm-project/aibrix/issues/749
• https://github.com/vllm-project/aibrix/pull/752
• https://github.com/vllm-project/aibrix/pull/752/commits/3d25d95aebd66f24a549200edcebc5ea423b317a
• https://github.com/vllm-project/aibrix/issues/749#event-16488517974

Affected or Relevant Artifacts

• Developer: vLLM
• Deployer: vLLM
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2025-03-04
• Version: 0.3.3
• AVID Entry