GHSA-rm76-4mrf-v9r8: vLLM uses Python 3.12 built-in hash() which leads to predictable hash collisions in prefix cache
Maliciously constructed statements can lead to hash collisions, resulting in cache reuse, which can interfere with subsequent responses and cause unintended behavior.
References
- github.com/advisories/GHSA-rm76-4mrf-v9r8
- github.com/python/cpython/commit/432117cd1f59c76d97da2eaff55a7d758301dbc7
- github.com/python/cpython/pull/99541
- github.com/vllm-project/vllm
- github.com/vllm-project/vllm/commit/73b35cca7f3745d07d439c197768b25d88b6ab7f
- github.com/vllm-project/vllm/pull/12621
- github.com/vllm-project/vllm/security/advisories/GHSA-rm76-4mrf-v9r8
Detect and mitigate GHSA-rm76-4mrf-v9r8 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →