Impact
vLLM, an inference engine for large language models, includes an OpenAI AuthenticationMiddleware that requires a configured VLLM_API_KEY or a command‑line --api-key. A flaw in the way ASGI web servers and Starlette’s trust‑on‑headers feature integrate with that middleware allows a request that is missing the key to be treated as authenticated. This results in unauthenticated users obtaining direct access to the LLM service, which can expose sensitive model output, enable unauthorized inference, and allow unregulated consumption of compute resources. The weakness reflects a boundary violation (CWE-444) and can lead to evidence tampering (CWE-501).
Affected Systems
All released versions of vLLM from 0.3.0 through 0.21.9 are vulnerable. The product, named vLLM and produced by the vllm‑project, is typically exposed behind ASGI‑compatible servers such as Uvicorn, Hypercorn or Starlette itself. Users running these server environments have exposed API endpoints that the vulnerability targets.
Risk and Exploitability
The vulnerability has a CVSS score of 9.1, placing it in the critical category. Its EPSS score is less than 1 %, indicating a low but non‑zero probability of exploitation. It has not appeared in the CISA KEV catalog. Attackers would likely attempt exploitation over the network by sending crafted HTTP requests to the API endpoints served by the ASGI server, taking advantage of Starlette’s default trust‑headers configuration that forwards client IP information without proper validation.
OpenCVE Enrichment
Github GHSA