Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Reachable over the network via unauthenticated chat completions API with a single crafted request; impact is solely worker OOM crash, so availability is High and confidentiality/integrity are None.
Primary rating from Vendor (huntr_ai).
CVSS VectorVendor: huntr_ai
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
vLLM versions 0.8.0 and later are vulnerable to an Out-of-Memory (OOM) Denial of Service (DoS) attack due to unbounded frame count processing in the VideoMediaIO.load_base64() method. When processing video/jpeg data URLs, the method splits the base64 data string on commas to extract individual JPEG frames without enforcing a frame count limit. An attacker can exploit this by crafting a single API request containing thousands of comma-separated base64-encoded JPEG frames in a data URL, causing the server to decode all frames into memory and crash due to excessive memory consumption. This vulnerability is reachable via the OpenAI-compatible chat completions API and does not require authentication.
AnalysisAI
Denial of service in vLLM 0.8.0 and later allows remote unauthenticated attackers to crash the inference server by sending a single OpenAI-compatible chat completion request containing a video/jpeg data URL with thousands of comma-separated base64-encoded JPEG frames. The VideoMediaIO.load_base64() method decodes every frame without enforcing a count limit, exhausting server memory. No public exploit identified at time of analysis, but an upstream fix commit is available on GitHub.
Technical ContextAI
vLLM is a high-throughput LLM inference and serving engine widely deployed behind OpenAI-compatible APIs for multimodal models. The flaw resides in vllm/multimodal/media/video.py within the VideoMediaIO.load_base64() helper, which handles video/jpeg data URLs by splitting the base64 payload on commas to extract individual JPEG frames before decoding each into a NumPy array. The CPE cpe:2.3:a:vllm-project:vllm-project/vllm confirms the affected component, and the root cause maps cleanly to CWE-400 (Uncontrolled Resource Consumption): the splitter never caps the number of comma-separated frames, so the size of an attacker-controlled list directly drives memory allocation during PIL/NumPy decoding.
RemediationAI
Upstream fix available (PR/commit); released patched version not independently confirmed - operators should pull the change from vllm-project/vllm commit 58ee61422169ce17e08248f8efa1e9df434fe395, which makes VideoMediaIO.load_base64() honor num_frames by using data.split(',', self.num_frames)[:self.num_frames] so only the configured number of frames are decoded. Until a tagged release containing this commit is deployed, restrict the OpenAI-compatible chat completions endpoint to authenticated, trusted clients (network ACLs, API gateway auth, or reverse-proxy basic auth) and, if multimodal video input is not required, configure the served model without video modality or block requests whose message content includes video/jpeg data URLs at the proxy layer, accepting the trade-off that legitimate video-frame submissions will be rejected. Additionally, enforce per-request body size limits and per-process memory cgroup limits in front of vLLM so a single oversized request causes a bounded worker restart instead of host-level OOM; details and links are tracked at https://huntr.com/bounties/7bd92629-b396-4449-8f88-6c0092530eb4.
More in Vllm Project Vllm
View allSame weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36217
GHSA-wcwg-c5fc-9vrc