vLLM DOS: Remotely kill vllm over http with invalid JSON schema

Summary Hitting the /v1/completions API with a invalid jsonschema as a Guided Param will kill the vllm server Details The following API call venv derekh@ip-172-31-15-108 $ curl -s http://localhost:8000/v1/completions -H "Content-Type: application/json" -d '"model":...

PT-2020-7857 · Ipsilon · Ipsilon

Name of the Vulnerable Software and Affected Versions: Ipsilon versions 0.1.0 through 1.0.0 Description: The issue arises from the Identity Provider IdP server not properly escaping certain characters in a Python exception-message template. This makes it easier for remote attackers to conduct...