repository icon
vllm-project / vllm Project repository

A high-throughput and memory-efficient inference and serving engine for LLMs

Submit a report

FIRST INTERACTION

WITHIN9 DAYS

REVIEW

WITHIN14 DAYS

FIX

WITHINN/A DAYS

chat_template_kwargs Injection Bypasses trust_request_chat_template Guard
jd-admrl-ai
self closed
SSRF Amplification via aiohttp trust_env=True Bypasses allowed_media_domains All...
jd-admrl-ai
self closed
Path Traversal via Unsanitized lora_path in /v1/load_lora_adapter Endpoint
jd-admrl-ai
self closed
SSRF via Unrestricted Multimodal URL Fetching - allowed_media_domains Check Bypa...
jd-admrl-ai
self closed
Arbitrary file clobber via checkpoint state-dict keys when loading untrusted mod...
mirr2
self closed
Responses API trust-boundary collapse via caller-controlled request_id enables c...
mirr2
self closed
SSRF via allowlisted-domain redirect laundering in batch media fetch path
mirr2
self closed
Server-Side Request Forgery (SSRF) via Multimodal Media URL Fetching — Cloud Cre...
skillwager
duplicate
None
Authentication Bypass and Arbitrary Method Execution via Dev Mode Endpoints
skillwager
duplicate
None
SSRF via multimodal image/audio/video URL fetching in chat completions API — no...
snakeyworm
duplicate
High
SSRF via Multimodal Media URL Fetch in Chat Completions API
skillwager
not applicable
Auth Bypass + Arbitrary Method Execution via Dev Mode Endpoints (/collective_rpc...
skillwager
spam
Unauthenticated SSRF via multimodal image_url field — empty list falsy bypass al...
radikhoroshev
duplicate
High
Authentication bypass on 6+ endpoints — auth middleware only protects /v1 paths,...
snakeyworm
not applicable
Authentication bypass on 6+ endpoints — auth middleware only protects /v1 paths,...
snakeyworm
not applicable
Arbitrary code execution via unsafe torch.load() without weights_only in 4 core...
elliottower
not applicable
SSRF via multimodal image/audio/video URLs — no domain restriction in default co...
microwaveovens-yay
duplicate
Medium
Authentication middleware only protects /v1 endpoints — /sleep, /wake_up, /start...
microwaveovens-yay
duplicate
High
OOM Denial of Service via Audio Decompression Bomb
rtv-git
not applicable
GPU Memory Read/Write via Unauthenticated NIXL Handshake Metadata Disclosure
rtv-git
self closed
GPU DMA Channel Hijacking via Unauthenticated NCCL unique_id Injection in P2pNcc...
rtv-git
self closed
API routes without /v1 prefix bypass API-key authentication in vLLM server
9to5ai
not applicable
Unauthenticated Memory Exhaustion DoS via Unbounded Audio Queue in WebSocket /v1...
xandramax
not applicable
Security Check Bypass via assert Statement in Activation Function Loading
pierreolivierbonin
not applicable
API Key Authentication Bypass on Non-/v1 Endpoints (SageMaker, tokenize, etc.)
lihfdgjr
not applicable
SSRF via Multimodal Media URL Fetching in vLLM
pierreolivierbonin
self closed
Automated Safety Guardrail Bypass in Llama-3.1-8b-Instruct (Malware Generation)
s05161497-sudo
not applicable
Unauthenticated Denial of Service via Elastic Endpoint Scaling API
hacnho
duplicate
High
Unauthenticated Arbitrary Worker Method Execution via collective_rpc API
hacnho
not applicable
Path Traversal via Malicious Weight Names in np_cache Loading
hacnho
not applicable
SSRF via Multimodal Media URLs + Authentication Bypass on Non-/v1 Endpoints
hacnho
duplicate
High
WebSocket KeyError in AuthenticationMiddleware breaks `/v1/realtime` when API ke...
vitocrl
not applicable
Unauthenticated server-wide DoS via `/scale_elastic_ep` auth bypass
vitocrl
duplicate
High
Authentication Bypass on Non-/v1 Endpoints Enables Unauthenticated Inference and...
0xbassia
not applicable
RCE via ungated cloudpickle.loads() in run_method() bypasses VLLM_ALLOW_INSECURE...
nhomyk
not applicable
Denial of Service via Multiple Logic Bugs in Realtime API WebSocket Handler
seory0
not applicable
SSRF in Batch API download_bytes_from_url allows fetching internal services and...
narrator3333-hash
not applicable
SSRF + Local File Read via Multimodal Media URL — Default Domain Whitelist Bypas...
appsecguardian-hash
duplicate
High
Pre-Auth RCE via Unauthenticated Pickle Deserialization in Distributed Communic...
appsecguardian-hash
not applicable
Unsafe deserialization via torch.load and pickle in vLLM model loading
etwithin
spam
LoRA Adapter rank=0 ZeroDivisionError DoS in PEFTHelper — Validation Bypass via...
apeiria-zero
self closed
Server-Side Request Forgery (SSRF) in vLLM Multimodal Media Connector Due to Emp...
invisiblemonsters
duplicate
High
Server-Side Request Forgery via Default Media URL Configuration — No Private IP...
apeiria-zero
duplicate
High
vLLM Unsafe Pickle Deserialization in /update_weights Endpoint — Unauthenticated...
avienma007
not applicable
vLLM Server-Side Request Forgery via Media URL Fetching
rezaduty
duplicate
Critical
Authentication Bypass via /invocations Endpoint in vLLM — Unauthorized Model Inf...
nottiboy137
duplicate
Critical
Authentication Bypass for Non-/v1 Endpoints Exposes Tokenization and Server Conf...
shima-coder
duplicate
Medium
SSRF via Multimodal Media URL Fetching Allows Cloud Metadata Theft and Internal...
shima-coder
duplicate
High
SSRF via Unrestricted Multimodal Media URL Fetching (Default Empty allowed_media...
invisiblemonsters
not applicable
NaN/Infinity Validation Bypass in SamplingParams via OpenAI-Compatible API
drrose2029
not applicable
Denial of Service via Unauthenticated /scale_elastic_ep Endpoint Setting Global...
seory0
not applicable
Authentication Bypass via Path Prefix Check in AuthenticationMiddleware Allowing...
seory0
not applicable
Path Traversal in LoRA Adapter Loading API Allows File Existence Oracle
222n5
not applicable
Remote Code Execution (RCE) via auto_map Dynamic Module Loading bypassing trust_...
amadhan882
not applicable
Remote Code Execution via Insecure Deserialization (pickle.loads/cloudpickle.loa...
sermikr0
spam
Unhandled Memory Corruption Resulting in DDOS
kattraxler
pending
Remote code execution via transformers_utils/get_config
vancir
High
CVE-2026-4943
Remote code execution may occur through the calculate_expression tool helper in...
dev-mhyun
not applicable
Undocumented Automatic Fallback to Unsafe Model Loading Creates Silent RCE Risk
rudra2018
informative
High
vLLM Server Unsafe Deserialization Leads to Arbitrary Code Execution
racerz-fighting
not applicable
Remote Code Execution in Insecure Pickle Deserialization via recv_obj() in class...
seaw1nd
duplicate
Critical
vLLM Server Unsafe Deserialization Leads to Arbitrary Code Execution
avilum
informative
Critical
Remote Code Execution by Pickle Deserialization via MessageQueue.dequeue() Broad...
zpbrent
Critical
$1500CVE-2024-11041
"POST /v1/completions" and "POST /v1/embeddings" Denials of Service
rh-tguittet
High
$750CVE-2024-11040
vllm has Cloudpickle deserializes arbitrary command execution
hexian2001
duplicate
Critical
Remote Code Execution by Pickle Deserialization via AsyncEngineRPCServer() RPC s...
zpbrent
Critical
$1500CVE-2024-9053
Remote Code Execution by Pickle Deserialization via recv_object() distributed tr...
zpbrent
Critical
$1500CVE-2024-9052
Command Injection in nccl_integrity_check function
vanirxxx
informative
High
Malicious model to RCE by torch.load in hf_model_weights_iterator (as well as th...
dogewatch
informative
Critical