Vllm
Monthly
Denial of service in vLLM 0.12.0 through 0.23.x lets any authorized API caller crash the entire inference server by submitting a pure prompt-embeddings payload to the /v1/completions endpoint when a model using M-RoPE (multimodal rotary position embedding) is loaded. The malformed request trips a reachable assertion in the EngineCore process, which terminates the whole server rather than rejecting the single request. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the flaw is fixed in vLLM 0.24.0.
Denial of service in vLLM inference servers prior to 0.24.0 allows remote unauthenticated attackers to hang an inference worker indefinitely by submitting a single request with an adversarial regular expression via the structured_outputs.regex API parameter. The pattern is passed to grammar compiler backends (xgrammar with no guard, outlines with structural-but-not-complexity validation) where nested quantifiers trigger exponential state-space expansion (ReDoS). No public exploit identified at time of analysis, though the trivial request-based trigger makes weaponization straightforward.
Denial of service in the vLLM LLM inference server (all versions prior to 0.24.0) allows a remote client to crash the shared engine worker by sending a specific multi-request speculative decoding workload. The rejection sampler produces a recovered token equal to the vocabulary-size boundary, which is coerced to -1, written back into the drafter's input ids, and later dereferenced by the embedding/attention path, triggering a GPU device-side assertion that kills the worker. There is no public exploit identified at time of analysis and this CVE is not in CISA KEV; per CVSS the impact is availability-only (C:N/I:N/A:H) with a low EPSS profile expected for a crash-only bug.
Memory exhaustion in vLLM 0.22.0-0.23.0 allows authenticated API callers to crash or destabilize the inference server by uploading arbitrarily large audio files. The `/v1/audio/transcriptions` and `/v1/audio/translations` endpoints invoke `request.file.read()` to fully buffer multipart uploads into process memory before the `VLLM_MAX_AUDIO_CLIP_FILESIZE_MB` size guard is evaluated, meaning the size limit is checked only after the damage is done. No public exploit is identified at time of analysis; vendor-confirmed fix is available in version 0.24.0.
Remote code execution in vLLM versions prior to 0.22.1 allows attackers to backdoor production LLM inference deployments through a dependency confusion attack in the project's Dockerfile. Because flashinfer-jit-cache was pulled via --extra-index-url with UV_INDEX_STRATEGY=unsafe-best-match while the name remained unregistered on PyPI, any attacker who claimed the name on PyPI with a higher version would have their code executed as root during every Docker build. No public exploit identified at time of analysis, but the supply-chain primitive is well understood and trivially weaponizable.
Denial of service and potential memory corruption in vLLM versions 0.10.2 through 0.12.x stems from missing sparse tensor validation in multimodal embeddings processing, allowing authenticated remote users to submit crafted prompt-embedding requests with malformed tensor indices. Because PyTorch disables sparse tensor invariant checks by default, attackers can crash the inference server or exhaust resources, with potential out-of-bounds or write-what-where memory corruption. No public exploit identified at time of analysis; this continuation of CVE-2025-62164 addresses the root cause that the prior fix only masked by disabling the feature by default.
Regular expression denial of service in vLLM versions 0.6.3 through 0.8.x exposes three distinct attack surfaces - the LoRA utility module, the phi4mini tool parser, and the OpenAI-compatible chat endpoint - to catastrophic regex backtracking, causing severe CPU exhaustion and service-wide denial of service. Authenticated API consumers can submit crafted inputs with deeply nested or repeated structures (e.g., `((((a|)+)+)+)`) to trigger unbounded processing in Python's backtracking NFA regex engine. No public exploit identified at time of analysis, though the GHSA advisory discloses the exact vulnerable patterns and example malicious inputs, substantially lowering the reproduction barrier for anyone with API access.
Denial of service in vllm 0.19.0's OpenAI-compatible serving path allows remote unauthenticated attackers to exhaust scheduler resources by submitting requests with unbounded logprob counts. The root cause, confirmed by PR diff analysis, is the absence of any per-batch logprob budget in the v1 scheduler: requests specifying logprobs=-1 (full vocabulary) multiplied across parallel sequences (n) generate massive compute and memory overhead with no cap, blocking or crashing the inference server. Publicly available exploit code exists (GitHub issue #37343); no confirmed active exploitation at time of analysis.
A vulnerability was found in vllm up to 0.19.0. The affected element is the function has_mamba_layers of the file vllm/v1/kv_cache_interface.py of the component KV Block Handler. Performing a manipulation results in uninitialized resource. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is described as difficult. The exploit has been made public and could be used. The patch is named 1ad67864c0c20f167929e64c875f5c28e1aad9fd. To fix this issue, it is recommended to deploy a patch.
vLLM versions 0.5.5 through 0.17.x use incorrect mono audio downmixing via numpy.mean instead of the ITU-R BS.775-4 weighted standard, causing audio processed by AI models to diverge from human perception. An authenticated remote attacker with low privileges can exploit this inconsistency to manipulate audio-based model outputs or infer mismatches between expected and actual audio processing, affecting integrity of audio-driven inference pipelines. The vulnerability has been patched in vLLM 0.18.0.
Remote code execution is possible in vLLM inference and serving engine versions 0.10.1 through 0.17.x due to hardcoded trust_remote_code=True settings in two model implementation files that override users' explicit --trust-remote-code=False security configuration. Attackers can exploit this by hosting malicious model repositories that execute arbitrary code when loaded by vLLM, even when users have intentionally disabled remote code trust for security. Version 0.18.0 patches this vulnerability, with no public exploit identified at time of analysis and a CVSS score of 8.8 requiring user interaction to trigger.
Server-Side Request Forgery in vLLM's multimodal MediaConnector allows remote attackers to coerce the inference server into fetching attacker-chosen internal URLs, bypassing the allowed_media_domains allowlist that was added to fix CVE-2026-24779. The bypass exploits a backslash-before-@ parsing disagreement between urllib3.util.parse_url (validation layer) and aiohttp/yarl (HTTP client), so a URL the allowlist reads as a permitted host is actually fetched from an internal target. It carries a CVSS 9.8 rating, a vendor patch and Red Hat advisory are available, and a working bypass payload is published in the GHSA advisory and fix test suite, though EPSS is very low (0.02%, 3rd percentile) and it is not on CISA KEV.
Information exposure in vLLM inference engine versions 0.8.3 to before 0.14.1. Invalid image requests to the multimodal endpoint cause sensitive data logging. Patch available.
vLLM before version 0.14.1 contains a server-side request forgery vulnerability in the MediaConnector class where inconsistent URL parsing between libraries allows attackers to bypass host restrictions and force the server to make arbitrary requests to internal network resources. Public exploit code exists for this vulnerability, which poses significant risk in containerized environments where a compromised vLLM instance could be leveraged to access restricted internal systems. The vulnerability affects users running vLLM's multimodal features with untrusted input.
Remote code execution in vLLM 0.10.1 through 0.13.x lets an attacker who controls the model repository or path run arbitrary Python on the inference host: vLLM auto-loads Hugging Face `auto_map` dynamic modules during model resolution without honoring the `trust_remote_code` safety gate, so attacker-supplied code executes at server startup before any request is processed and without API access. The flaw carries a CVSS 9.8 and is fixed in 0.14.0, with Red Hat shipping multiple RHSA errata; however EPSS is only 0.06% (17th percentile) and there is no public exploit identified at time of analysis, so exploitation hinges on an attacker first influencing which model is loaded. This is a code-injection (CWE-94) trust-boundary bypass rather than a remotely reachable network service bug despite the AV:N rating.
Vllm versions up to 0.12.0 is affected by allocation of resources without limits or throttling (CVSS 6.5).
vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.11.1, vllm has a critical remote code execution vector in a config class named Nemotron_Nano_VL_Config. When vllm loads a model config that contains an auto_map entry, the config class resolves that mapping with get_class_from_dynamic_module(...) and immediately instantiates the returned class. This fetches and executes Python from the remote repository referenced in the auto_map string. Crucially, this happens even when the caller explicitly sets trust_remote_code=False in vllm.transformers_utils.config.get_config. In practice, an attacker can publish a benign-looking frontend repo whose config.json points via auto_map to a separate malicious backend repo; loading the frontend will silently run the backend’s code on the victim host. This vulnerability is fixed in 0.11.1.
vLLM is an inference and serving engine for large language models (LLMs). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.
vLLM is an inference and serving engine for large language models (LLMs). Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, low attack complexity.
vLLM is an inference and serving engine for large language models (LLMs). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.
vLLM is an inference and serving engine for large language models (LLMs). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.
vLLM is an inference and serving engine for large language models (LLMs). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
vLLM is an inference and serving engine for large language models (LLMs). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.
vLLM is an inference and serving engine for large language models (LLMs). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
vLLM, an inference and serving engine for large language models (LLMs), has a Regular Expression Denial of Service (ReDoS) vulnerability in the file. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
vLLM is an inference and serving engine for large language models (LLMs). Rated medium severity (CVSS 4.2), this vulnerability is remotely exploitable.
vLLM is an inference and serving engine for large language models (LLMs). Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable.
vLLM, an inference and serving engine for large language models (LLMs), has an issue in versions 0.6.5 through 0.8.4 that ONLY impacts environments using the `PyNcclPipe` KV cache transfer. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
vLLM is an inference and serving engine for large language models. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
vllm-project vllm version 0.6.0 contains a vulnerability in the AsyncEngineRPCServer() RPC server entrypoints. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
vllm-project vllm version v0.6.2 contains a vulnerability in the MessageQueue.dequeue() API function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Rated critical severity (CVSS 9.0), this vulnerability is low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable. No vendor patch available.
vLLM is a library for LLM inference and serving. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
Denial of service in vLLM 0.12.0 through 0.23.x lets any authorized API caller crash the entire inference server by submitting a pure prompt-embeddings payload to the /v1/completions endpoint when a model using M-RoPE (multimodal rotary position embedding) is loaded. The malformed request trips a reachable assertion in the EngineCore process, which terminates the whole server rather than rejecting the single request. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the flaw is fixed in vLLM 0.24.0.
Denial of service in vLLM inference servers prior to 0.24.0 allows remote unauthenticated attackers to hang an inference worker indefinitely by submitting a single request with an adversarial regular expression via the structured_outputs.regex API parameter. The pattern is passed to grammar compiler backends (xgrammar with no guard, outlines with structural-but-not-complexity validation) where nested quantifiers trigger exponential state-space expansion (ReDoS). No public exploit identified at time of analysis, though the trivial request-based trigger makes weaponization straightforward.
Denial of service in the vLLM LLM inference server (all versions prior to 0.24.0) allows a remote client to crash the shared engine worker by sending a specific multi-request speculative decoding workload. The rejection sampler produces a recovered token equal to the vocabulary-size boundary, which is coerced to -1, written back into the drafter's input ids, and later dereferenced by the embedding/attention path, triggering a GPU device-side assertion that kills the worker. There is no public exploit identified at time of analysis and this CVE is not in CISA KEV; per CVSS the impact is availability-only (C:N/I:N/A:H) with a low EPSS profile expected for a crash-only bug.
Memory exhaustion in vLLM 0.22.0-0.23.0 allows authenticated API callers to crash or destabilize the inference server by uploading arbitrarily large audio files. The `/v1/audio/transcriptions` and `/v1/audio/translations` endpoints invoke `request.file.read()` to fully buffer multipart uploads into process memory before the `VLLM_MAX_AUDIO_CLIP_FILESIZE_MB` size guard is evaluated, meaning the size limit is checked only after the damage is done. No public exploit is identified at time of analysis; vendor-confirmed fix is available in version 0.24.0.
Remote code execution in vLLM versions prior to 0.22.1 allows attackers to backdoor production LLM inference deployments through a dependency confusion attack in the project's Dockerfile. Because flashinfer-jit-cache was pulled via --extra-index-url with UV_INDEX_STRATEGY=unsafe-best-match while the name remained unregistered on PyPI, any attacker who claimed the name on PyPI with a higher version would have their code executed as root during every Docker build. No public exploit identified at time of analysis, but the supply-chain primitive is well understood and trivially weaponizable.
Denial of service and potential memory corruption in vLLM versions 0.10.2 through 0.12.x stems from missing sparse tensor validation in multimodal embeddings processing, allowing authenticated remote users to submit crafted prompt-embedding requests with malformed tensor indices. Because PyTorch disables sparse tensor invariant checks by default, attackers can crash the inference server or exhaust resources, with potential out-of-bounds or write-what-where memory corruption. No public exploit identified at time of analysis; this continuation of CVE-2025-62164 addresses the root cause that the prior fix only masked by disabling the feature by default.
Regular expression denial of service in vLLM versions 0.6.3 through 0.8.x exposes three distinct attack surfaces - the LoRA utility module, the phi4mini tool parser, and the OpenAI-compatible chat endpoint - to catastrophic regex backtracking, causing severe CPU exhaustion and service-wide denial of service. Authenticated API consumers can submit crafted inputs with deeply nested or repeated structures (e.g., `((((a|)+)+)+)`) to trigger unbounded processing in Python's backtracking NFA regex engine. No public exploit identified at time of analysis, though the GHSA advisory discloses the exact vulnerable patterns and example malicious inputs, substantially lowering the reproduction barrier for anyone with API access.
Denial of service in vllm 0.19.0's OpenAI-compatible serving path allows remote unauthenticated attackers to exhaust scheduler resources by submitting requests with unbounded logprob counts. The root cause, confirmed by PR diff analysis, is the absence of any per-batch logprob budget in the v1 scheduler: requests specifying logprobs=-1 (full vocabulary) multiplied across parallel sequences (n) generate massive compute and memory overhead with no cap, blocking or crashing the inference server. Publicly available exploit code exists (GitHub issue #37343); no confirmed active exploitation at time of analysis.
A vulnerability was found in vllm up to 0.19.0. The affected element is the function has_mamba_layers of the file vllm/v1/kv_cache_interface.py of the component KV Block Handler. Performing a manipulation results in uninitialized resource. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is described as difficult. The exploit has been made public and could be used. The patch is named 1ad67864c0c20f167929e64c875f5c28e1aad9fd. To fix this issue, it is recommended to deploy a patch.
vLLM versions 0.5.5 through 0.17.x use incorrect mono audio downmixing via numpy.mean instead of the ITU-R BS.775-4 weighted standard, causing audio processed by AI models to diverge from human perception. An authenticated remote attacker with low privileges can exploit this inconsistency to manipulate audio-based model outputs or infer mismatches between expected and actual audio processing, affecting integrity of audio-driven inference pipelines. The vulnerability has been patched in vLLM 0.18.0.
Remote code execution is possible in vLLM inference and serving engine versions 0.10.1 through 0.17.x due to hardcoded trust_remote_code=True settings in two model implementation files that override users' explicit --trust-remote-code=False security configuration. Attackers can exploit this by hosting malicious model repositories that execute arbitrary code when loaded by vLLM, even when users have intentionally disabled remote code trust for security. Version 0.18.0 patches this vulnerability, with no public exploit identified at time of analysis and a CVSS score of 8.8 requiring user interaction to trigger.
Server-Side Request Forgery in vLLM's multimodal MediaConnector allows remote attackers to coerce the inference server into fetching attacker-chosen internal URLs, bypassing the allowed_media_domains allowlist that was added to fix CVE-2026-24779. The bypass exploits a backslash-before-@ parsing disagreement between urllib3.util.parse_url (validation layer) and aiohttp/yarl (HTTP client), so a URL the allowlist reads as a permitted host is actually fetched from an internal target. It carries a CVSS 9.8 rating, a vendor patch and Red Hat advisory are available, and a working bypass payload is published in the GHSA advisory and fix test suite, though EPSS is very low (0.02%, 3rd percentile) and it is not on CISA KEV.
Information exposure in vLLM inference engine versions 0.8.3 to before 0.14.1. Invalid image requests to the multimodal endpoint cause sensitive data logging. Patch available.
vLLM before version 0.14.1 contains a server-side request forgery vulnerability in the MediaConnector class where inconsistent URL parsing between libraries allows attackers to bypass host restrictions and force the server to make arbitrary requests to internal network resources. Public exploit code exists for this vulnerability, which poses significant risk in containerized environments where a compromised vLLM instance could be leveraged to access restricted internal systems. The vulnerability affects users running vLLM's multimodal features with untrusted input.
Remote code execution in vLLM 0.10.1 through 0.13.x lets an attacker who controls the model repository or path run arbitrary Python on the inference host: vLLM auto-loads Hugging Face `auto_map` dynamic modules during model resolution without honoring the `trust_remote_code` safety gate, so attacker-supplied code executes at server startup before any request is processed and without API access. The flaw carries a CVSS 9.8 and is fixed in 0.14.0, with Red Hat shipping multiple RHSA errata; however EPSS is only 0.06% (17th percentile) and there is no public exploit identified at time of analysis, so exploitation hinges on an attacker first influencing which model is loaded. This is a code-injection (CWE-94) trust-boundary bypass rather than a remotely reachable network service bug despite the AV:N rating.
Vllm versions up to 0.12.0 is affected by allocation of resources without limits or throttling (CVSS 6.5).
vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.11.1, vllm has a critical remote code execution vector in a config class named Nemotron_Nano_VL_Config. When vllm loads a model config that contains an auto_map entry, the config class resolves that mapping with get_class_from_dynamic_module(...) and immediately instantiates the returned class. This fetches and executes Python from the remote repository referenced in the auto_map string. Crucially, this happens even when the caller explicitly sets trust_remote_code=False in vllm.transformers_utils.config.get_config. In practice, an attacker can publish a benign-looking frontend repo whose config.json points via auto_map to a separate malicious backend repo; loading the frontend will silently run the backend’s code on the victim host. This vulnerability is fixed in 0.11.1.
vLLM is an inference and serving engine for large language models (LLMs). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.
vLLM is an inference and serving engine for large language models (LLMs). Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, low attack complexity.
vLLM is an inference and serving engine for large language models (LLMs). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.
vLLM is an inference and serving engine for large language models (LLMs). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.
vLLM is an inference and serving engine for large language models (LLMs). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
vLLM is an inference and serving engine for large language models (LLMs). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.
vLLM is an inference and serving engine for large language models (LLMs). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
vLLM, an inference and serving engine for large language models (LLMs), has a Regular Expression Denial of Service (ReDoS) vulnerability in the file. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
vLLM is an inference and serving engine for large language models (LLMs). Rated medium severity (CVSS 4.2), this vulnerability is remotely exploitable.
vLLM is an inference and serving engine for large language models (LLMs). Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable.
vLLM, an inference and serving engine for large language models (LLMs), has an issue in versions 0.6.5 through 0.8.4 that ONLY impacts environments using the `PyNcclPipe` KV cache transfer. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
vLLM is an inference and serving engine for large language models. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
vllm-project vllm version 0.6.0 contains a vulnerability in the AsyncEngineRPCServer() RPC server entrypoints. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
vllm-project vllm version v0.6.2 contains a vulnerability in the MessageQueue.dequeue() API function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Rated critical severity (CVSS 9.0), this vulnerability is low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable. No vendor patch available.
vLLM is a library for LLM inference and serving. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.