Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
vLLM Affected by Unauthenticated OOM Denial of Service via Unbounded `n` Parameter in OpenAI API Server
Vulnerability Description
vLLM is an inference and serving engine for large language models (LLMs). From 0.1.0 to before 0.19.0, a Denial of Service vulnerability exists in the vLLM OpenAI-compatible API server. Due to the lack of an upper bound validation on the n parameter in the ChatCompletionRequest and CompletionRequest Pydantic models, an unauthenticated attacker can send a single HTTP request with an astronomically large n value. This completely blocks the Python asyncio event loop and causes immediate Out-Of-Memory crashes by allocating millions of request object copies in the heap before the request even reaches the scheduling queue. This vulnerability is fixed in 0.19.0.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Vulnerability Type
不加限制或调节的资源分配
Vulnerability Title
vLLM 安全漏洞
Vulnerability Description
vLLM是vLLM开源的一个适用于 LLM 的高吞吐量和内存高效推理和服务引擎。 vLLM 0.1.0至0.19.0之前版本存在安全漏洞,该漏洞源于ChatCompletionRequest和CompletionRequest Pydantic模型中n参数缺少上限验证,可能导致未经验证的攻击者通过发送单个HTTP请求造成拒绝服务攻击。
CVSS Information
N/A
Vulnerability Type
N/A