Validate API tokens in constant time#25781
Merged
Isotr0py merged 2 commits intovllm-project:mainfrom Sep 27, 2025
Merged
Conversation
Signed-off-by: rentianyue-jk <rentianyue-jk@360shuke.com>
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Code Review
This pull request addresses a security vulnerability by using secrets.compare_digest for API token validation to prevent timing attacks. The implementation is a significant improvement. However, I've identified a potential residual timing vulnerability related to token length and have suggested a further hardening measure by hashing the tokens before comparison. This will ensure the comparison is always done on fixed-length inputs, fully mitigating timing attacks on both token value and length.
simon-mo
approved these changes
Sep 26, 2025
This is based on gemini-code-assist's recommendation: > While using secrets.compare_digest is a great improvement to prevent timing > attacks on the token's value, this implementation might still be vulnerable to a > timing attack that could reveal the length of the valid API tokens. > > The documentation for secrets.compare_digest notes that if the two strings being > compared have different lengths, a timing attack could theoretically reveal > information about their lengths. An attacker could use this to determine the > length of valid tokens, which reduces the search space for a brute-force attack. > > To fully mitigate this, you can hash the API tokens to a fixed length before > comparison. This ensures that secrets.compare_digest always operates on inputs > of the same length. This also has the benefit of allowing non-ASCII characters > in tokens if needed, as they will be encoded to UTF-8 bytes before hashing. Signed-off-by: Russell Bryant <rbryant@redhat.com>
simon-mo
pushed a commit
that referenced
this pull request
Sep 28, 2025
Signed-off-by: rentianyue-jk <rentianyue-jk@360shuke.com> Signed-off-by: Russell Bryant <rbryant@redhat.com> Co-authored-by: rentianyue-jk <rentianyue-jk@360shuke.com> Signed-off-by: simon-mo <simon.mo@hey.com>
pdasigi
pushed a commit
to pdasigi/vllm
that referenced
this pull request
Oct 2, 2025
Signed-off-by: rentianyue-jk <rentianyue-jk@360shuke.com> Signed-off-by: Russell Bryant <rbryant@redhat.com> Co-authored-by: rentianyue-jk <rentianyue-jk@360shuke.com>
yewentao256
pushed a commit
that referenced
this pull request
Oct 3, 2025
Signed-off-by: rentianyue-jk <rentianyue-jk@360shuke.com> Signed-off-by: Russell Bryant <rbryant@redhat.com> Co-authored-by: rentianyue-jk <rentianyue-jk@360shuke.com> Signed-off-by: yewentao256 <zhyanwentao@126.com>
choprahetarth
pushed a commit
to Tandemn-Labs/vllm
that referenced
this pull request
Oct 11, 2025
Signed-off-by: rentianyue-jk <rentianyue-jk@360shuke.com> Signed-off-by: Russell Bryant <rbryant@redhat.com> Co-authored-by: rentianyue-jk <rentianyue-jk@360shuke.com> Signed-off-by: simon-mo <simon.mo@hey.com>
shyeh25
pushed a commit
to shyeh25/vllm
that referenced
this pull request
Oct 14, 2025
Signed-off-by: rentianyue-jk <rentianyue-jk@360shuke.com> Signed-off-by: Russell Bryant <rbryant@redhat.com> Co-authored-by: rentianyue-jk <rentianyue-jk@360shuke.com> Signed-off-by: simon-mo <simon.mo@hey.com>
lywa1998
pushed a commit
to lywa1998/vllm
that referenced
this pull request
Oct 20, 2025
Signed-off-by: rentianyue-jk <rentianyue-jk@360shuke.com> Signed-off-by: Russell Bryant <rbryant@redhat.com> Co-authored-by: rentianyue-jk <rentianyue-jk@360shuke.com>
alhridoy
pushed a commit
to alhridoy/vllm
that referenced
this pull request
Oct 24, 2025
Signed-off-by: rentianyue-jk <rentianyue-jk@360shuke.com> Signed-off-by: Russell Bryant <rbryant@redhat.com> Co-authored-by: rentianyue-jk <rentianyue-jk@360shuke.com>
rtourgeman
pushed a commit
to rtourgeman/vllm
that referenced
this pull request
Nov 10, 2025
Signed-off-by: rentianyue-jk <rentianyue-jk@360shuke.com> Signed-off-by: Russell Bryant <rbryant@redhat.com> Co-authored-by: rentianyue-jk <rentianyue-jk@360shuke.com>
silverjam
pushed a commit
to YurtsAI/yurts-vllm
that referenced
this pull request
Jan 24, 2026
Cherry pick vllm-project@ee10d7e Validate API tokens in constant time (vllm-project#25781) Signed-off-by: rentianyue-jk <rentianyue-jk@360shuke.com> Signed-off-by: Russell Bryant <rbryant@redhat.com> Co-authored-by: rentianyue-jk <rentianyue-jk@360shuke.com> Signed-off-by: simon-mo <simon.mo@hey.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resolves GHSA-wr9h-g72x-mwhm