{"uuid": "5eff13c2-080a-462c-9d97-10d528945594", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-8JR5-V98P-W75M", "type": "seen", "source": "https://gist.github.com/alon710/91c849a1a0fb4322b56402af2c5bb804", "content": "# GHSA-8JR5-V98P-W75M: GHSA-8JR5-V98P-W75M: Perception Desynchronization via Unnormalized EXIF Orientation and PNG Transparency in vLLM\n\n> **CVSS Score:** 8.6\n> **Published:** 2026-06-17\n> **Full Report:** https://cvereports.com/reports/GHSA-8JR5-V98P-W75M\n\n## Summary\nA critical preprocessing mismatch exists in vLLM's multimodal image pipeline before commit cf1c90672404548aa3bc51f92c4745576a65ee26. The vulnerability occurs because the engine loads user-submitted images and passes them to underlying Vision-Language Models (VLMs) without normalizing their EXIF orientation metadata or fully resolving complex transparency structures. This gap creates a perception desynchronization vulnerability where the physical pixel grid processed by the AI model differs significantly from how the image is visually rendered to human moderators or frontend applications. Attackers can exploit this mismatch to perform silent prompt injections, bypass safety moderation systems, or execute adversarial jailbreaks.\n\n## TL;DR\nvLLM failed to normalize image EXIF orientation and PNG transparency metadata. This causes Vision-Language Models to see a different image (e.g., rotated or with visible high-contrast text) than what is visually shown to human moderators, enabling silent prompt injections and safety bypasses.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-1156 / CWE-436\n- **Attack Vector**: Network\n- **CVSS**: 8.6\n- **Impact**: Perception Desynchronization / Security Bypass\n- **Exploit Status**: PoC Available\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- vllm\n- **vllm**: < commit cf1c90672404548aa3bc51f92c4745576a65ee26 (Fixed in: `commit cf1c90672404548aa3bc51f92c4745576a65ee26`)\n\n## Mitigation\n\n- Upgrade vLLM to a secure release containing Commit cf1c90672404548aa3bc51f92c4745576a65ee26.\n- Deploy custom preprocessing middleware to normalize incoming image payloads before they reach the inference pipeline.\n- Align backend alpha-blending canvas colors with standard frontend rendering background colors.\n\n**Remediation Steps:**\n1. Identify all deployment instances of vLLM processing multimodal image inputs.\n2. Apply the patch from commit cf1c90672404548aa3bc51f92c4745576a65ee26 or update the vLLM python package to the latest version.\n3. Implement visual test cases using custom tRNS PNG files to verify that transparent areas are correctly flattened to white.\n4. Verify EXIF orientation parsing by submitting rotated images with valid EXIF headers and asserting correct model spatial logic.\n\n## References\n\n- [GHSA-8JR5-V98P-W75M Security Advisory](https://github.com/advisories/GHSA-8JR5-V98P-W75M)\n- [vLLM Pull Request #44974](https://github.com/vllm-project/vllm/pull/44974)\n- [vLLM Bug Fix Commit](https://github.com/vllm-project/vllm/commit/cf1c90672404548aa3bc51f92c4745576a65ee26)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-8JR5-V98P-W75M) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-17T14:41:27.000000Z"}