CVE-2024-11040 Information

Description

vllm-project vllm version 0.5.2.2 is vulnerable to Denial of Service attacks. The issue occurs in the ‘POST /v1/completions’ and ‘POST /v1/embeddings’ endpoints. For ‘POST /v1/completions’ enabling ‘use_beam_search’ and setting ‘best_of’ to a high value causes the HTTP connection to time out with vllm ceasing effective work and the request remaining in a ‘pending’ state blocking new completion requests. For ‘POST /v1/embeddings’ supplying invalid inputs to the JSON object causes an issue in the background loop resulting in all further completion requests returning a 500 HTTP error code (‘Internal Server Error’) until vllm is restarted.

Reference

https://huntr.com/bounties/8ce20bbe-3c96-4cd1-97e5-25a5630925be