vLLM Remote Code Execution Vulnerability via JPEG2000 Heap Overflow

A remote code execution vulnerability has been identified in vLLM, an inference and serving engine for large language models. This issue affects versions 0.8.3 prior to 0.14.1. The vulnerability arises when an invalid image is sent to vLLM's multimodal endpoint, causing the Python Imaging Library (PIL) to throw an error. vLLM inadvertently returns this error to the client, leaking a heap address. This leak allows for an Address Space Layout Randomization (ASLR) bypass, reducing the number of possible address guesses from 4 billion to approximately 8. The vulnerability can be exploited by chaining the information leak with a heap overflow in the JPEG2000 decoder of OpenCV or FFmpeg, leading to remote code execution on the server.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where vLLM is running.

Reproduction

To reproduce this vulnerability, upload a video file containing a malicious JPEG2000 'cdef' box that remaps color channels, particularly one that directs luma data into the chroma buffer, causing a heap overflow. This can be done through the vLLM API by sending a request to the 'chat/completions' or 'invocations' endpoint with a 'video_url' parameter pointing to the malicious video. The default vLLM installation does not require authentication, but if the API key is enabled, the vulnerability can still be exploited through the 'invocations' route before authentication.

Remediation

Users can upgrade to vLLM version 0.14.1, which addresses this vulnerability.