{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-11040", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "state": "REJECTED", "assignerShortName": "@huntr_ai", "dateReserved": "2024-11-09T04:21:53.965Z", "datePublished": "2025-03-20T10:10:55.762Z", "dateUpdated": "2025-04-15T15:53:31.930Z", "dateRejected": "2025-04-15T15:53:31.930Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2025-04-15T15:53:31.930Z"}, "rejectedReasons": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "** REJECT ** DO NOT USE THIS CVE ID NUMBER. The Rejected CVE Record is a duplicate of CVE-2024-8939. Notes: All CVE users should reference CVE-2024-8939 instead of this CVE Record. All references and descriptions in this candidate have been removed to prevent accidental usage."}], "value": "** REJECT ** DO NOT USE THIS CVE ID NUMBER. The Rejected CVE Record is a duplicate of CVE-2024-8939. Notes: All CVE users should reference CVE-2024-8939 instead of this CVE Record. All references and descriptions in this candidate have been removed to prevent accidental usage."}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-11040", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "state": "REJECTED", "assignerShortName": "@huntr_ai", "dateReserved": "2024-11-09T04:21:53.965Z", "datePublished": "2025-03-20T10:10:55.762Z", "dateUpdated": "2025-04-15T15:53:31.930Z", "dateRejected": "2025-04-15T15:53:31.930Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2025-04-15T15:53:31.930Z"}, "rejectedReasons": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "** REJECT ** DO NOT USE THIS CVE ID NUMBER. The Rejected CVE Record is a duplicate of CVE-2024-8939. Notes: All CVE users should reference CVE-2024-8939 instead of this CVE Record. All references and descriptions in this candidate have been removed to prevent accidental usage."}], "value": "** REJECT ** DO NOT USE THIS CVE ID NUMBER. The Rejected CVE Record is a duplicate of CVE-2024-8939. Notes: All CVE users should reference CVE-2024-8939 instead of this CVE Record. All references and descriptions in this candidate have been removed to prevent accidental usage."}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Rejected reason: ** REJECT ** DO NOT USE THIS CVE ID NUMBER. The Rejected CVE Record is a duplicate of CVE-2024-8939. Notes: All CVE users should reference CVE-2024-8939 instead of this CVE Record. All references and descriptions in this candidate have been removed to prevent accidental usage."}], "id": "CVE-2024-11040", "lastModified": "2025-04-15T16:15:21.517", "metrics": {}, "published": "2025-03-20T10:15:23.293", "references": [], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Rejected"}

{"bugzilla": {"description": "vllm: Denial of Service in vllm-project/vllm", "id": "2353624", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2353624"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-400", "details": ["A flaw was found in vLLM. This vulnerability allows a denial of service via the POST endpoints. Enabling use_beam_search with a high best_of value in POST /v1/completions causes the HTTP connection to time out, blocking new completion requests. Supplying invalid inputs to POST /v1/embeddings results in a background loop failure, causing all further requests to return a 500 HTTP error until the vLLM is restarted."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-11040", "package_state": [{"cpe": "cpe:/a:redhat:enterprise_linux_ai:1", "fix_state": "Not affected", "package_name": "rhelai1/bootc-amd-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI)"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:1", "fix_state": "Not affected", "package_name": "rhelai1/bootc-aws-nvidia-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI)"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:1", "fix_state": "Not affected", "package_name": "rhelai1/bootc-azure-amd-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI)"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:1", "fix_state": "Not affected", "package_name": "rhelai1/bootc-azure-nvidia-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI)"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:1", "fix_state": "Not affected", "package_name": "rhelai1/bootc-gcp-nvidia-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI)"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:1", "fix_state": "Not affected", "package_name": "rhelai1/bootc-ibm-nvidia-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI)"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:1", "fix_state": "Not affected", "package_name": "rhelai1/bootc-intel-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI)"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:1", "fix_state": "Not affected", "package_name": "rhelai1/bootc-nvidia-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI)"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:1", "fix_state": "Not affected", "package_name": "rhelai1/instructlab-amd-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI)"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:1", "fix_state": "Not affected", "package_name": "rhelai1/instructlab-intel-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI)"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:1", "fix_state": "Not affected", "package_name": "rhelai1/instructlab-nvidia-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI)"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:1", "fix_state": "Not affected", "package_name": "rhelai1/ui-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI)"}], "public_date": "2025-03-20T10:10:55Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-11040\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-11040\nhttps://huntr.com/bounties/8ce20bbe-3c96-4cd1-97e5-25a5630925be"], "statement": "No Red Hat products are affected by this vulnerability.\nThis vulnerability marked as high severity rather than moderate due to its direct impact on availability and service reliability. For the POST /v1/completions endpoint, enabling use_beam_search with an excessively high best_of value triggers an indefinite pending state, effectively causing a Denial of Service (DoS) by preventing any new inference requests from being processed. \nSimilarly, for the POST /v1/embeddings endpoint, malformed JSON input leads to a persistent internal failure, resulting in continuous 500 errors for all subsequent requests. Since these issues persist until the server is manually restarted, they allow an attacker to completely halt the vLLM service, impacting uptime and availability, making it a high-severity vulnerability rather than a moderate one.", "threat_severity": "Important"}