vLLM, Insecure Hashing Vulnerability, CVE-2024-XXXX (Medium)

Listen to this Post

How the CVE Works

The vulnerability in vLLM’s `MultiModalHasher` class arises due to improper serialization of PIL `Image` objects in hasher.py. The method `serialize_item` uses only obj.tobytes(), which extracts raw pixel data but omits critical metadata like image dimensions (width, height) and color mode. This allows two different images with identical pixel sequences but different shapes (e.g., 30×100 vs. 100×30) to produce the same hash. Attackers can exploit this to force hash collisions, leading to incorrect cache hits, data leakage, or serving manipulated images. The issue also affects video data due to improper NumPy array handling, while audio remains unaffected.

DailyCVE Form

Platform: vLLM
Version: <0.4.0
Vulnerability: Insecure Hashing
Severity: Medium
Date: 2024-06-10

Prediction: Patch by 2024-07-15

What Undercode Say:

Exploitation:

  1. Craft two images with identical pixel bytes but different dimensions:
    from PIL import Image
    img1 = Image.new("RGB", (30, 100), color="red")
    img2 = Image.new("RGB", (100, 30), color="red")
    assert img1.tobytes() == img2.tobytes() Same hash in vLLM
    
  2. Abuse cache poisoning by uploading colliding images to trigger incorrect model responses.

Mitigation:

Patch `serialize_item` to include metadata:

def serialize_item(self, obj):
if isinstance(obj, Image.Image):
return obj.tobytes() + obj.size + obj.mode.encode()

Detection:

Scan for vLLM versions <0.4.0:

pip show vllm | grep Version

Analytics:

  • Risk Score: 6.5/10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
  • Affected Users: AI platforms using vLLM for multimodal caching.
  • Patch Test: Validate hashes post-fix:
    img_hash = hasher.serialize_item(img)
    assert img_hash != hasher.serialize_item(img.resize((50,50)))
    

References:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top