Medium severity6.2NVD Advisory· Published Sep 17, 2024· Updated Apr 15, 2026

CVE-2024-8939

Description

A vulnerability was found in the ilab model serve component, where improper handling of the best_of parameter in the vllm JSON web API can lead to a Denial of Service (DoS). The API used for LLM-based sentence or chat completion accepts a best_of parameter to return the best completion from several options. When this parameter is set to a large value, the API does not handle timeouts or resource exhaustion properly, allowing an attacker to cause a DoS by consuming excessive system resources. This leads to the API becoming unresponsive, preventing legitimate users from accessing the service.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
vllmPyPI	<= 0.5.0.post1	—

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-wc36-9694-f9rfghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-8939ghsaADVISORY
access.redhat.com/security/cve/CVE-2024-8939nvdWEB
bugzilla.redhat.com/show_bug.cginvdWEB
github.com/vllm-project/vllm/issues/6137ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.403
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000