python · vllmCritical
vLLM Authentication Bypass via ASGI Server Vulnerability
A vulnerability in ASGI web servers and starlette's trust on those web servers enables an authentication bypass of the OpenAI API AuthenticationMiddleware, allo
What changed
A vulnerability in ASGI web servers and starlette's trust on those web servers enables an authentication bypass of the OpenAI API AuthenticationMiddleware, allowing use of the API without providing the configured VLLM_API_KEY or --api-key.
Who it affects
Instances of vLLM that use an API Key for the OpenAI API and expose the API to attackers. Instances behind an RFC-conforming web server (such as nginx) are not affected.
What to do today
Update vLLM to a patched version or ensure the API is behind an RFC-conforming web server like nginx.
The trail
Collected→
Audited→
Written→
Published
Source
GitHub Advisory · vllm