CVE-2024-11040 - Vulnerability Details

- vllm: Denial of Service in vllm-project/vllm

Description

** REJECT ** DO NOT USE THIS CVE ID NUMBER. The Rejected CVE Record is a duplicate of CVE-2024-8939. Notes: All CVE users should reference CVE-2024-8939 instead of this CVE Record. All references and descriptions in this candidate have been removed to prevent accidental usage.

Published: 2025-03-20

Score: 7.5 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-7053	REJECT DO NOT USE THIS CVE ID NUMBER. The Rejected CVE Record is a duplicate of CVE-2024-8939. Notes: All CVE users should reference CVE-2024-8939 instead of this CVE Record. All references and descriptions in this candidate have been removed to prevent accidental usage.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://huntr.com/bounties/8ce20bbe-3c96-4cd1-97e5-25a5630925be
https://nvd.nist.gov/vuln/detail/CVE-2024-11040
https://www.cve.org/CVERecord?id=CVE-2024-11040

History

Wed, 18 Jun 2025 16:00:00 +0000

Type	Values Removed	Values Added
Metrics	threat_severity `Important`	threat_severity `None`

Tue, 15 Apr 2025 16:15:00 +0000

Type	Values Removed	Values Added
Title	Denial of Service in vllm-project/vllm	vllm: Denial of Service in vllm-project/vllm
Metrics	ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 15 Apr 2025 16:00:00 +0000

Type	Values Removed	Values Added
Description	vllm-project vllm version 0.5.2.2 is vulnerable to Denial of Service attacks. The issue occurs in the 'POST /v1/completions' and 'POST /v1/embeddings' endpoints. For 'POST /v1/completions', enabling 'use_beam_search' and setting 'best_of' to a high value causes the HTTP connection to time out, with vllm ceasing effective work and the request remaining in a 'pending' state, blocking new completion requests. For 'POST /v1/embeddings', supplying invalid inputs to the JSON object causes an issue in the background loop, resulting in all further completion requests returning a 500 HTTP error code ('Internal Server Error') until vllm is restarted.	REJECT DO NOT USE THIS CVE ID NUMBER. The Rejected CVE Record is a duplicate of CVE-2024-8939. Notes: All CVE users should reference CVE-2024-8939 instead of this CVE Record. All references and descriptions in this candidate have been removed to prevent accidental usage.

Sat, 22 Mar 2025 13:45:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2024-11040 https://www.cve.org/CVERecord?id=CVE-2024-11040
Metrics	threat_severity `None`	threat_severity `Important`

Thu, 20 Mar 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 20 Mar 2025 10:15:00 +0000

Type	Values Removed	Values Added
Description		vllm-project vllm version 0.5.2.2 is vulnerable to Denial of Service attacks. The issue occurs in the 'POST /v1/completions' and 'POST /v1/embeddings' endpoints. For 'POST /v1/completions', enabling 'use_beam_search' and setting 'best_of' to a high value causes the HTTP connection to time out, with vllm ceasing effective work and the request remaining in a 'pending' state, blocking new completion requests. For 'POST /v1/embeddings', supplying invalid inputs to the JSON object causes an issue in the background loop, resulting in all further completion requests returning a 500 HTTP error code ('Internal Server Error') until vllm is restarted.
Title		Denial of Service in vllm-project/vllm
Weaknesses		CWE-400
References		https://huntr.com/bounties/8ce20bbe-3c96-4cd1-97e5-25a5630925be
Metrics		cvssV3_0 `{'score': 7.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

No data.

MITRE

Status: REJECTED

Assigner: @huntr_ai

Published: 2025-03-20T10:10:55.762Z

Updated: 2025-04-15T15:53:31.930Z

Reserved: 2024-11-09T04:21:53.965Z

Link: CVE-2024-11040

Vulnrichment

Updated:

NVD

Status : Rejected

Published: 2025-03-20T10:15:23.293

Modified: 2025-04-15T16:15:21.517

Link: CVE-2024-11040

Redhat

Severity :

Publid Date: 2025-03-20T10:10:55Z

Links: CVE-2024-11040 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

CWE-400

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object