Description
A flaw was found in the server implementation of vLLM, where the handling of Jinja templates does not properly validate user-supplied input through the chat_template and chat_template_kwargs parameters. When a specially crafted template is processed, it can trigger excessive looping or recursion inside the Jinja engine, consuming large amounts of CPU and memory. This can cause the server to become unresponsive or crash, resulting in a denial-of-service (DoS) condition for applications using vLLM.
Analysis
Analysis and contextual insights are available on OpenCVE Cloud.
No data.
No data.
No data available yet.
Remediation
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
Advisories
| Source | ID | Title |
|---|---|---|
 Github GHSA |
GHSA-6fvq-23cw-5628 | vLLM: Resource-Exhaustion (DoS) through Malicious Jinja Template in OpenAI-Compatible Server |
References
History
Tue, 14 Oct 2025 12:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | A flaw was found in the server implementation of vLLM, where the handling of Jinja templates does not properly validate user-supplied input through the chat_template and chat_template_kwargs parameters. When a specially crafted template is processed, it can trigger excessive looping or recursion inside the Jinja engine, consuming large amounts of CPU and memory. This can cause the server to become unresponsive or crash, resulting in a denial-of-service (DoS) condition for applications using vLLM. | |
| Title | vllm: vLLM OpenAI-Compatible Server Resource Exhaustion via chat_template Parameters | |
| Weaknesses | CWE-400 | |
| References |
| |
| Metrics |
threat_severity
|
cvssV3_1
|
Subscriptions
No data.
MITRE
No data.
Vulnrichment
No data.
NVD
No data.
Redhat
OpenCVE Enrichment
No data.
Weaknesses