vLLM DOS: Remotely kill vllm over http with invalid JSON schema

Summary Hitting the /v1/completions API with a invalid jsonschema as a Guided Param will kill the vllm server Details The following API call venv derekh@ip-172-31-15-108 $ curl -s http://localhost:8000/v1/completions -H "Content-Type: application/json" -d '"model":...

GHSA-J828-28RJ-HFHP vLLM vulnerable to Regular Expression Denial of Service

Summary A recent review identified several regular expressions in the vllm codebase that are susceptible to Regular Expression Denial of Service ReDoS attacks. These patterns, if fed with crafted or malicious input, may cause severe performance degradation due to catastrophic backtracking. 1...