← Back to the AI Dependency AtlasExact package identity dossier

vLLM

pypi:vllm
pypi

This dossier links the stable identity pypi:vllm to 3 exact observed versions across 3 public repositories.

pypipypi:vllmecosystem:name + exact version + evidence path

A package identity or provider interface in published code does not prove configuration, an account, procurement, data transfer or an API call.

ecosystem:name + exact version + evidence path
3repositories
3exact evidence rows
3exact versions
1reported license expression
39OSV records returned
Exact published evidence

Observed exact versions and registry metadata

Publication age and licenses come from deps.dev metadata. They are context—not a maintenance, legal or portability verdict.

Exact version0.8.5.post103 May 2025
Repositories
1
Occurrences
1
Reported licenses
Apache-2.0
no verified publish attestation reported34 OSV records
Open exact source ↗
Exact version0.10.1.121 Aug 2025
Repositories
1
Occurrences
1
Reported licenses
Apache-2.0
no verified publish attestation reported27 OSV records
Open exact source ↗
Exact version0.11.004 Oct 2025
Repositories
1
Occurrences
1
Reported licenses
Apache-2.0
no verified publish attestation reported27 OSV records
Open exact source ↗
Observed relations

Repositories carrying this identity

Coding Agent Usage Simulationuba-ki-lab/coding-agent-usage-simulation
0.11.01 Occurrence
LLM Questionnaire Benchmarking Frameworkuba-ki-lab/llm-questionnaire-benchmarking-framework
0.10.1.11 Occurrence
LLM Testframeworkuba-ki-lab/llm-testframework
0.8.5.post11 Occurrence
Exact published evidence

exact evidence rows

Coding Agent Usage Simulationuba-ki-lab/coding-agent-usage-simulation
pypi:vllm@0.11.0uv.lock
declaration relationship not reporteddevelopment scope not reported
Open exact source ↗
LLM Questionnaire Benchmarking Frameworkuba-ki-lab/llm-questionnaire-benchmarking-framework
pypi:vllm@0.10.1.1uv.lock
declaration relationship not reporteddevelopment scope not reported
Open exact source ↗
LLM Testframeworkuba-ki-lab/llm-testframework
pypi:vllm@0.8.5.post1uv.lock
declaration relationship not reporteddevelopment scope not reported
Open exact source ↗
OSV

Related OSV records

GHSA-2pc9-4j83-qjmr

vLLM affected by RCE via auto_map dynamic module loading during model initialization

2 repositories17 Jul 2026
GHSA-3f6c-7fw2-ppm4

vLLM is vulnerable to Server-Side Request Forgery (SSRF) through `MediaConnector` class

2 repositories07 Jul 2026
GHSA-3mwp-wvh9-7528

vLLM: Unauthenticated OOM Denial of Service via Unbounded `n` Parameter in OpenAI API Server

3 repositories17 Jul 2026
GHSA-3ww4-5jv9-j5gm

vLLM's Artifact Pin Decay allows pinned deployments to load unpinned code, weights, and processors

3 repositories17 Jul 2026
GHSA-4qjh-9fv9-r85r

Potential Timing Side-Channel Vulnerability in vLLM’s Chunk-Based Prefix Caching

1 repository04 Feb 2026
GHSA-4r2x-xpjr-7cvv

vLLM has RCE In Video Processing

3 repositories17 Jul 2026
GHSA-5jv2-g5wq-cmr4

vLLM: GGUF dequantize kernel int truncation exposes uninitialized GPU memory in multi-tenant serving

3 repositories17 Jul 2026
GHSA-69j4-grxj-j64p

vLLM vulnerable to DoS via large Chat Completion or Tokenization requests with specially crafted `chat_template_kwargs`

3 repositories17 Jul 2026
GHSA-6c4r-fmh3-7rh8

vLLM: Processing differential in multi-channel audio downmixing enables hidden-input/moderation bypass for audio models

3 repositories17 Jul 2026
GHSA-6fvq-23cw-5628

vLLM: Resource-Exhaustion (DoS) through Malicious Jinja Template in OpenAI-Compatible Server

2 repositories07 Jul 2026
GHSA-6pr9-rp53-2pmc

vLLM: OOM Denial of Service via Audio Decompression Bomb

3 repositories17 Jul 2026
GHSA-6qc9-v4r8-22xg

vLLM DOS: Remotely kill vllm over http with invalid JSON schema

1 repository04 Feb 2026
GHSA-7972-pg2x-xr59

vLLM has Hardcoded Trust Override in Model Files Enables RCE Despite Explicit User Opt-Out

2 repositories17 Jul 2026
GHSA-7h4p-rffg-7823

vLLM: temperature=NaN and temperature=Infinity bypass validation and propagate to GPU kernels

3 repositories17 Jul 2026
GHSA-8fr4-5q9j-m8gm

vLLM vulnerable to remote code execution via transformers_utils/get_config

3 repositories17 Jul 2026
GHSA-8jr5-v98p-w75m

vLLM: image EXIF Rotation & PNG tRNS Transparency Not Normalized, Causing Mismatch Between Model Input and Expectations

1 repository17 Jul 2026
GHSA-94f4-hr76-p5j6

vLLM: OpenAI auth bypass

3 repositories17 Jul 2026
GHSA-98f3-hwg4-4rf7

vllm has Improper Resource Shutdown or Release

3 repositories13 Jul 2026
GHSA-9hcf-v7m4-6m2j

vLLM allows clients to crash the openai server with invalid regex

1 repository04 Feb 2026
GHSA-9pcc-gvx5-r5wm

Remote Code Execution Vulnerability in vLLM Multi-Node Cluster Configuration

1 repository17 Jul 2026
GHSA-c65p-x677-fgj6

vLLM has a Weakness in MultiModalHasher Image Hashing Implementation

1 repository04 Feb 2026
GHSA-grg2-63fw-f2qr

vLLM is vulnerable to DoS in Idefics3 vision models via image payload with ambiguous dimensions

3 repositories08 Jun 2026
GHSA-hgg8-fqqc-vfmw

vLLM: incomplete CVE-2026-22778 fix leaks PIL repr addresses via Anthropic router

3 repositories13 Jul 2026
GHSA-hpv8-x276-m59f

vLLM Vulnerable to Remote DoS via Special-Token Placeholders

3 repositories17 Jul 2026
GHSA-j828-28rj-hfhp

vLLM vulnerable to Regular Expression Denial of Service

1 repository08 Jul 2026
GHSA-mcmc-2m55-j8jj

vLLM introduced enhanced protection for CVE-2025-62164

1 repository27 Jun 2026
GHSA-mrw7-hf4f-83pf

vLLM deserialization vulnerability leading to DoS and potential RCE

1 repository17 Jul 2026
GHSA-pmqf-x6x8-p7qw

vLLM vulnerable to DoS with incorrect shape of multimodal embedding inputs

3 repositories17 Jul 2026
GHSA-pq5c-rjhq-qp7p

vLLM: Denial of Service via Unbounded Frame Count in video/jpeg Base64 Processing

3 repositories17 Jul 2026
GHSA-q8gq-377p-jq3r

vLLM: Security Check Bypass via assert Statement in Activation Function Loading Allows Arbitrary Code Execution

3 repositories17 Jul 2026
GHSA-qh4c-xf7m-gxfc

vLLM vulnerable to Server-Side Request Forgery (SSRF) through MediaConnector

3 repositories17 Jul 2026
GHSA-rwxx-mrjm-wc2m

vLLM: ReDoS via structured_outputs.regex compiled without timeout in xgrammar and outlines backends

3 repositories17 Jul 2026
GHSA-rxc4-3w6r-4v47

vllm API endpoints vulnerable to Denial of Service Attacks

1 repository17 Jul 2026
GHSA-vrq3-r879-7m65

vLLM Tool Schema allows DoS via Malformed pattern and type Fields

1 repository17 Jul 2026
GHSA-w6q7-j642-7c25

vLLM has a Regular Expression Denial of Service (ReDoS, Exponential Complexity) Vulnerability in `pythonic_tool_parser.py`

1 repository10 Jun 2026
GHSA-wr9h-g72x-mwhm

vLLM is vulnerable to timing attack at bearer auth

2 repositories17 Jul 2026
GHSA-x368-4g9h-fvv4

vLLM makes Use of Uninitialized Resource

3 repositories13 Jul 2026
PYSEC-2026-227

Not reported

3 repositories26 Jun 2026
PYSEC-2026-2302

Not reported

3 repositories13 Jul 2026
Interpretation boundary

Exact identities in, explicit limits out

Only exact npm and PyPI tuples are enriched. Reported SPDX expressions are metadata; no compatibility, obligation or legal conclusion is inferred.

Retrieval, parsing, matching and publishing use no generative AI model.

i6eal (2026): vLLM — exact AI dependency evidence dossier, data state 19 Jul 2026. https://i6eal.de/en/tools/ki-abhaengigkeitsatlas/paket/vllm-571f04fc/

Reading this dossier

Does package presence prove that a provider is used?
No. Even a direct interface declaration does not establish configuration, credentials, procurement, data transfer or an API call.
Why are exact versions required?
OSV and registry metadata can be linked reproducibly only to an observed package@version tuple. The collector never substitutes a newest release for a range.
Does a missing row mean the dependency is absent?
No. It means not observed within the bounded files and repository checkpoint. Incomplete trees and parser failures remain explicit.

Need a permanent dependency evidence trail for another public code cohort?

We build source-backed data products with stable identities, reproducible joins and boundaries that remain visible.

Discuss a data projectExplore all tools