{"id":"GHSA-w2r7-9579-27hf","summary":"vLLM denial of service vulnerability","details":"A flaw was found in the vLLM library. A completions API request with an empty prompt will crash the vLLM API server, resulting in a denial of service.","aliases":["CVE-2024-8768"],"modified":"2026-02-04T04:23:20.426168Z","published":"2024-09-17T18:33:26Z","related":["CGA-hf2p-vgc4-g2qj"],"database_specific":{"severity":"HIGH","nvd_published_at":"2024-09-17T17:15:11Z","cwe_ids":["CWE-617"],"github_reviewed":true,"github_reviewed_at":"2024-09-17T21:32:12Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-8768"},{"type":"WEB","url":"https://github.com/vllm-project/vllm/issues/7632"},{"type":"WEB","url":"https://github.com/vllm-project/vllm/pull/7746"},{"type":"WEB","url":"https://github.com/vllm-project/vllm/commit/e25fee57c2e69161bd261f5986dc5aeb198bbd42"},{"type":"WEB","url":"https://access.redhat.com/security/cve/CVE-2024-8768"},{"type":"WEB","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2311895"},{"type":"PACKAGE","url":"https://github.com/vllm-project/vllm"}],"affected":[{"package":{"name":"vllm","ecosystem":"PyPI","purl":"pkg:pypi/vllm"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.5.5"}]}],"versions":["0.0.1","0.1.0","0.1.1","0.1.2","0.1.3","0.1.4","0.1.5","0.1.6","0.1.7","0.2.0","0.2.1","0.2.1.post1","0.2.2","0.2.3","0.2.4","0.2.5","0.2.6","0.2.7","0.3.0","0.3.1","0.3.2","0.3.3","0.4.0","0.4.0.post1","0.4.1","0.4.2","0.4.3","0.5.0","0.5.0.post1","0.5.1","0.5.2","0.5.3","0.5.3.post1","0.5.4"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-w2r7-9579-27hf/GHSA-w2r7-9579-27hf.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}]}