vLLM API Key Validation Timing Attack Vulnerability Allowing Authentication Bypass

A timing attack vulnerability has been identified in the API key validation method used by vLLM, an inference and serving engine for large language models. This vulnerability exists in versions of vLLM through 0.11.0. The validation process compares API keys in a way that allows an attacker to infer the correctness of each character, potentially leading to an authentication bypass. The issue has been addressed in vLLM version 0.11.0.

Impact

Exploitation of this vulnerability allows for authentication bypass, as the timing attack could be used to discover valid API keys more efficiently than through brute force methods.

Reproduction

The vulnerability can be reproduced by sending API keys that are progressively correct character by character. The server's response time will indicate the correctness of each character, allowing the attacker to deduce the valid key more quickly than by guessing randomly.

Remediation

Users can upgrade to vLLM version 0.11.0 or later, where this vulnerability has been fixed.