Dan-Sec-Ops

**Name of the Vulnerable Software and Affected Versions** vLLM versions 0.8.3 through 0.14.0 **Description** vLLM is an inference and serving engine for large language models. A chain of issues allows for remote code execution when the service is configured to serve a video model. First, sending an invalid image to the multimodal endpoint causes PIL to throw an error that vLLM returns to the client, leaking a heap address. This leak significantly reduces the effectiveness of Address Space Layout Randomization (ASLR), reducing potential guesses from 4 billion to approximately 8. This information leak can be chained with a heap buffer overflow in the JPEG2000 decoder within the bundled FFmpeg 5.1.x used by OpenCV. The overflow occurs because the decoder honors a `cdef` box that remaps color channels, allowing a large Y (luma) plane to be written into a smaller U (chroma) buffer. This can be exploited by sending a malicious video URL to the following endpoints: - '/v1/chat/completions' - '/v1/invocations' By overwriting a function pointer (such as the `free()` pointer in an `AVBuffer` structure) with `system()`, an attacker can execute arbitrary commands on the server. The attack is feasible even with an API key enabled via the invocations route, as the payload can execute pre-authentication. **Recommendations** Update vLLM to version 0.14.1. As a temporary workaround, disable the use of video models or restrict access to the '/v1/chat/completions' and '/v1/invocations' endpoints if they are used to process `video url` content.