Homepage

vllm@0.7.3 vulnerabilities

A high-throughput and memory-efficient inference and serving engine for LLMs

  • latest version

    0.8.4

  • first published

    1 years ago

  • latest version published

    5 days ago

  • licenses detected

  • View vllm package health on Snyk Advisor  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the vllm package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Deserialization of Untrusted Data

    vllm is an A high-throughput and memory-efficient inference and serving engine for LLMs

    Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the MessageQueue.dequeue() API function. An attacker can execute arbitrary code by sending a malicious payload to the message queue.

    How to fix Deserialization of Untrusted Data?

    There is no fixed version for vllm.

    [0,)
    • H
    Allocation of Resources Without Limits or Throttling

    vllm is an A high-throughput and memory-efficient inference and serving engine for LLMs

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in outlines_logits_processors.py module, which uses a local cache with unbounded size by default. An attacker can occupy all space on the target system by sending a stream of decoding requests with different schemas, adding indefinitely to the outlines cache.

    How to fix Allocation of Resources Without Limits or Throttling?

    Upgrade vllm to version 0.8.0 or higher.

    [,0.8.0)
    • C
    Deserialization of Untrusted Data

    vllm is an A high-throughput and memory-efficient inference and serving engine for LLMs

    Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the MooncakePipe class, which relies on pickle for serialization and deserialization in recv_tensor(). An attacker can execute arbitrary code on the host by sending malicious payloads using the ZMQ over TCP interface, which is exposed by the Mooncake integration by default.

    How to fix Deserialization of Untrusted Data?

    Upgrade vllm to version 0.8.0 or higher.

    [,0.8.0)
    Go back to all versions of this package