vLLM is an inference and serving engine for large language models (LLMs). From 0.8.3 to before 0.14.1, when an invalid image is sent to vLLM's multimodal endpoint, PIL throws an error. vLLM returns this error to the client, leaking a heap address. With this leak, we reduce ASLR from 4 billion guesses to ~8 guesses. This vulnerability can be chained a heap overflow with JPEG2000 decoder in OpenCV/FFmpeg to achieve remote code execution. This vulnerability is fixed in 0.14.1.
When an invalid image is uploaded to vLLM's multimodal endpoint, the PIL library raises an exception that vLLM returns directly to the client — exposing the process heap memory address in the error message content (CWE-532: exposure of sensitive information to logs/responses). Knowing the heap address, the attacker reduces the ASLR randomness space from approximately 4 billion possibilities to only about 8. The memory layout knowledge obtained this way allows the attacker to reliably conduct the second stage of the attack — an exploit leveraging a heap overflow (heap overflow) in the JPEG2000 decoder available through OpenCV or FFmpeg. The combination of both techniques enables remote code execution without any authentication.
An unauthenticated remote attacker can gain full control over the vLLM process, leading to confidentiality, integrity, and availability compromise of the system — including potential takeover of the host running LLM models.
Update vLLM to version 0.14.1 or later, where the vulnerability has been fixed. Details are available in the official project references and advisory GHSA-4r2x-xpjr-7cvv.
vLLM versions 0.8.3 through 0.14.0 (inclusive) — installations using multimodal endpoints that accept images are excluded.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HVllm
APPVllm0.8.3 – 0.14.1 (bez)
Related vulnerabilities
Pominięcie uwierzytelnienia w vLLM — bypass klucza API OpenAI
vLLM: niezamierzone nasłuchiwanie TCPStore na wszystkich interfejsach sieciowych
RCE w vLLM poprzez deserializację pickle na niezabezpieczonych gniazdach ZeroMQ
RCE przez niebezpieczną deserializację w vllm MessageQueue.dequeue()
RCE przez niebezpieczną deserializację w vLLM z Mooncake (ZMQ/TCP)