漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
vLLM: Remote DoS in vLLM via Invalid Recovered Token Reinjection
Vulnerability Description
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Prior to 0.24.0, a frontend-legal multi-request speculative decoding workload can cause the rejection sampler to produce a recovered token equal to the model vocabulary size boundary value, which is then converted to negative one when the engine selects the next live token for a request and is written back into the drafter's input ids; that out-of-vocabulary value is later consumed by the model's embedding and attention path and crashes the engine worker with a GPU device-side assertion. The same triggering request sequence is reachable through the public gRPC Generate and Abort endpoints, so a remote client that can send generation requests can crash the shared engine worker, aborting concurrent requests and causing a service-wide denial of service for other clients of the deployment until the worker is restarted. This issue is fixed in version 0.24.0.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Vulnerability Type
输入验证不恰当
Vulnerability Title
vLLM 输入验证错误漏洞
Vulnerability Description
vLLM是vLLM团队开源的一个适用于 LLM 的高吞吐量和内存高效推理和服务引擎。 vLLM 0.24.0之前版本存在输入验证错误漏洞,该漏洞源于输入验证错误,可能导致远程客户端通过公开的gRPC Generate和Abort端点发送生成请求,造成引擎工作进程崩溃,从而引发服务范围内的拒绝服务。
CVSS Information
N/A
Vulnerability Type
N/A