Listen to this Post
How the CVE Works
The vulnerability in vLLM’s `MultiModalHasher` class arises due to improper serialization of PIL `Image` objects in hasher.py. The method `serialize_item` uses only obj.tobytes(), which extracts raw pixel data but omits critical metadata like image dimensions (width, height) and color mode. This allows two different images with identical pixel sequences but different shapes (e.g., 30×100 vs. 100×30) to produce the same hash. Attackers can exploit this to force hash collisions, leading to incorrect cache hits, data leakage, or serving manipulated images. The issue also affects video data due to improper NumPy array handling, while audio remains unaffected.
DailyCVE Form
Platform: vLLM
Version: <0.4.0
Vulnerability: Insecure Hashing
Severity: Medium
Date: 2024-06-10
Prediction: Patch by 2024-07-15
What Undercode Say:
Exploitation:
- Craft two images with identical pixel bytes but different dimensions:
from PIL import Image img1 = Image.new("RGB", (30, 100), color="red") img2 = Image.new("RGB", (100, 30), color="red") assert img1.tobytes() == img2.tobytes() Same hash in vLLM - Abuse cache poisoning by uploading colliding images to trigger incorrect model responses.
Mitigation:
Patch `serialize_item` to include metadata:
def serialize_item(self, obj): if isinstance(obj, Image.Image): return obj.tobytes() + obj.size + obj.mode.encode()
Detection:
Scan for vLLM versions <0.4.0:
pip show vllm | grep Version
Analytics:
- Risk Score: 6.5/10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
- Affected Users: AI platforms using vLLM for multimodal caching.
- Patch Test: Validate hashes post-fix:
img_hash = hasher.serialize_item(img) assert img_hash != hasher.serialize_item(img.resize((50,50)))
References:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

