GHSA-3mwp-wvh9-7528: vLLM: Unauthenticated OOM Denial of Service via Unbounded `n` Parameter in OpenAI API Server
Summary
vLLM's OpenAI-compatible API server has a denial-of-service vulnerability where an attacker can send a request with an extremely large `n` parameter (a value that controls how many independent response sequences to generate). Because the server doesn't validate an upper limit on this parameter, it attempts to create millions of copies of the request object in memory, which overwhelms the system and causes it to crash from running out of memory (OOM, out-of-memory).
Vulnerability Details
EPSS: 0.0%
Yes
April 3, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2022-29200: TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implem
CVE-2021-29541: TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a dereference of a null p
Original source: https://github.com/advisories/GHSA-3mwp-wvh9-7528
First tracked: April 3, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 95%