CVE-2026-0599

Name of the Vulnerable Software and Affected Versions huggingface/text-generation-inference version 3.3.6 huggingface/text-generation-inference versions prior to 3.3.7

Description A flaw exists in huggingface/text-generation-inference that allows unauthenticated remote attackers to cause a denial-of-service condition through resource exhaustion. The issue occurs during input validation in VLM mode when the system processes Markdown image links by performing HTTP GET requests. The entire response body is read into memory and cloned, potentially leading to network bandwidth saturation, memory inflation, and CPU overutilization. This behavior can crash the host machine, especially in default configurations lacking memory limits and authentication. The issue is triggered even if the request is ultimately rejected due to token limits.

Recommendations Update huggingface/text-generation-inference to version 3.3.7 or later.