Zyz3366

**Name of the Vulnerable Software and Affected Versions** SGLang version 0.5.10.post1 **Description** A flaw exists in the Inference HTTP Endpoint component within the file python/sglang/srt/lora/lora manager.py. Remote manipulation of the `lora path` argument can trigger a reachable assertion, potentially leading to a denial of service. This attack is characterized by high complexity and is considered difficult to execute. **Recommendations** As a temporary workaround, restrict or validate the input provided to the `lora path` argument in the affected component until a patch is accepted and released.

A vulnerability was identified in vllm-project vllm 0.19.0. This issue affects some unknown processing of the component OpenAI-compatible Serving Path. Such manipulation leads to denial of service. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The pull request to fix this issue awaits acceptance.

**Name of the Vulnerable Software and Affected Versions** vllm versions prior to 0.19.0 **Description** A flaw in the KV Block Handler component, specifically within the `has mamba layers()` function of the `vllm/v1/kv cache interface.py` file, allows for an uninitialized resource through manipulation. This issue can be triggered remotely, although the attack complexity is high and exploitability is difficult. **Recommendations** Deploy patch 1ad67864c0c20f167929e64c875f5c28e1aad9fd for versions prior to 0.19.0. As a temporary workaround, restrict access to the `has mamba layers()` function to minimize the risk of exploitation.