Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L
Lifecycle Timeline
4Blast Radius
ecosystem impact- 2 pypi packages depend on vllm (2 direct, 0 indirect)
Ecosystem-wide dependent count for version 0.5.5.
DescriptionGitHub Advisory
vLLM is an inference and serving engine for large language models (LLMs). From version 0.5.5 to before version 0.18.0, Librosa defaults to using numpy.mean for mono downmixing (to_mono), while the international standard ITU-R BS.775-4 specifies a weighted downmixing algorithm. This discrepancy results in inconsistency between audio heard by humans (e.g., through headphones/regular speakers) and audio processed by AI models (Which infra via Librosa, such as vllm, transformer). This issue has been patched in version 0.18.0.
AnalysisAI
vLLM versions 0.5.5 through 0.17.x use incorrect mono audio downmixing via numpy.mean instead of the ITU-R BS.775-4 weighted standard, causing audio processed by AI models to diverge from human perception. An authenticated remote attacker with low privileges can exploit this inconsistency to manipulate audio-based model outputs or infer mismatches between expected and actual audio processing, affecting integrity of audio-driven inference pipelines. The vulnerability has been patched in vLLM 0.18.0.
Technical ContextAI
vLLM integrates Librosa for audio preprocessing in LLM inference workflows. Librosa's to_mono function defaults to simple arithmetic mean (numpy.mean) for converting stereo to mono audio, which differs from ITU-R BS.775-4 standard weighted downmixing used in consumer audio playback and human hearing. The root cause is improper input validation and normalization (CWE-20) of audio preprocessing parameters, allowing a mismatch between training/reference audio and inference audio representations. This affects any vLLM deployment processing audio tokens or multimodal audio inputs where Librosa-based preprocessing occurs. The CPE cpe:2.3:a:vllm-project:vllm:*:*:*:*:*:*:*:* covers all vLLM instances in the affected range.
RemediationAI
Vendor-released patch: vLLM 0.18.0. Organizations should upgrade vLLM to version 0.18.0 or later immediately. The fix corrects Librosa's audio preprocessing to conform to ITU-R BS.775-4 standard weighted downmixing. For those unable to upgrade immediately, workarounds include disabling Librosa-based audio preprocessing in vLLM configuration or pre-processing audio outside vLLM using standard-compliant libraries before inference. Refer to https://github.com/vllm-project/vllm/releases/tag/v0.18.0 for release details and https://github.com/vllm-project/vllm/pull/37058 for technical implementation notes.
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Rated critical severity (CVSS 10.0
vllm-project vllm version v0.6.2 contains a vulnerability in the MessageQueue.dequeue() API function. Rated critical sev
Information exposure in vLLM inference engine versions 0.8.3 to before 0.14.1. Invalid image requests to the multimodal
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Rated high severity (CVSS 7.5), th
vLLM before version 0.14.1 contains a server-side request forgery vulnerability in the MediaConnector class where incons
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Rated medium severity (CVSS 6.5),
Vllm versions up to 0.12.0 is affected by allocation of resources without limits or throttling (CVSS 6.5).
Remote code execution in vLLM 0.10.1 through 0.13.x lets an attacker who controls the model repository or path run arbit
Server-Side Request Forgery in vLLM's multimodal MediaConnector allows remote attackers to coerce the inference server i
Denial of service in vllm 0.19.0's OpenAI-compatible serving path allows remote unauthenticated attackers to exhaust sch
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Rated critical severity (CVSS 9.0)
Remote code execution in vLLM versions prior to 0.22.1 allows attackers to backdoor production LLM inference deployments
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18522