CVE-2024-11040

Name of the Vulnerable Software and Affected Versions vllm versions 0.5.2.2

Description The issue is related to Denial of Service attacks. It occurs in the "POST /v1/completions" and "POST /v1/embeddings" endpoints. For "POST /v1/completions", enabling use beam search and setting best of to a high value causes the HTTP connection to time out, with vllm ceasing effective work and the request remaining in a 'pending' state, blocking new completion requests. For "POST /v1/embeddings", supplying invalid inputs to the JSON object causes an issue in the background loop, resulting in all further completion requests returning a 500 HTTP error code ('Internal Server Error') until vllm is restarted.

Recommendations For version 0.5.2.2, as a temporary workaround, consider disabling the use beam search function and limiting the best of value in the "POST /v1/completions" endpoint until a patch is available. Restrict access to the "POST /v1/embeddings" endpoint to minimize the risk of exploitation by supplying invalid JSON inputs. Avoid using the best of variable with high values in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.