Skip to content

Limit HTTP header count and size #23267

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 20, 2025
Merged

Limit HTTP header count and size #23267

merged 1 commit into from
Aug 20, 2025
+41 −0

Conversation

russellb
Copy link
Member

Fixes GHSA-rxc4-3w6r-4v47

Signed-off-by: Taneem Ibrahim [email protected]
Co-authored-by: Russell Bryant [email protected]
Signed-off-by: Russell Bryant [email protected]

@taneem-ibrahim @russellb
Limit HTTP header count and size
de503be 
Fixes GHSA-rxc4-3w6r-4v47

Signed-off-by: Taneem Ibrahim <[email protected]>
Co-authored-by: Russell Bryant <[email protected]>
Signed-off-by: Russell Bryant <[email protected]>
@russellb russellb requested a review from aarnphm as a code owner August 20, 2025 15:15
@mergify mergify bot added the frontend label Aug 20, 2025
gemini-code-assist[bot]
gemini-code-assist bot reviewed Aug 20, 2025
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request addresses a security vulnerability (GHSA-rxc4-3w6r-4v47) by introducing limits on HTTP header count and size to prevent header abuse attacks. It adds new command-line arguments to configure these limits, with safe defaults. The changes are well-structured, introducing constants for the default values and applying them in the uvicorn server configuration. The implementation appears correct and effectively mitigates the reported vulnerability. I have no major concerns with this change.

@DarkLight1337 DarkLight1337 enabled auto-merge (squash) August 20, 2025 15:17
@github-actions GitHub Actions
Copy link

👋 Hi! Thank you for contributing to the vLLM project.

💬 Join our developer Slack at https://slack.vllm.ai to discuss your PR in #pr-reviews, coordinate on features in #feat- channels, or join special interest groups in #sig- channels.

Just a reminder: PRs would not trigger full CI run by default. Instead, it would only run fastcheck CI which starts running only a small and essential subset of CI tests to quickly catch errors. You can run other CI tests on top of those by going to your fastcheck build on Buildkite UI (linked in the PR checks section) and unblock them. If you do not have permission to unblock, ping simon-mo or khluu to add you in our Buildkite org.

Once the PR is approved and ready to go, your PR reviewer(s) can run CI to test the changes comprehensively before merging.

To run CI, PR reviewers can either: Add ready label to the PR or enable auto-merge.

🚀

@github-actions github-actions bot added the ready ONLY add when PR is ready to merge/full CI is needed label Aug 20, 2025
simon-mo
simon-mo reviewed Aug 20, 2025
View reviewed changes
vllm/entrypoints/launcher.py
Comment on lines +46 to +60
# Extract header limit options if present
h11_max_incomplete_event_size = uvicorn_kwargs.pop(
"h11_max_incomplete_event_size", None)
h11_max_header_count = uvicorn_kwargs.pop("h11_max_header_count", None)

# Set safe defaults if not provided
if h11_max_incomplete_event_size is None:
h11_max_incomplete_event_size = H11_MAX_INCOMPLETE_EVENT_SIZE_DEFAULT
if h11_max_header_count is None:
h11_max_header_count = H11_MAX_HEADER_COUNT_DEFAULT

config = uvicorn.Config(app, **uvicorn_kwargs)
# Set header limits
config.h11_max_incomplete_event_size = h11_max_incomplete_event_size
config.h11_max_header_count = h11_max_header_count
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# Extract header limit options if present
h11_max_incomplete_event_size = uvicorn_kwargs.pop(
"h11_max_incomplete_event_size", None)
h11_max_header_count = uvicorn_kwargs.pop("h11_max_header_count", None)
# Set safe defaults if not provided
if h11_max_incomplete_event_size is None:
h11_max_incomplete_event_size = H11_MAX_INCOMPLETE_EVENT_SIZE_DEFAULT
if h11_max_header_count is None:
h11_max_header_count = H11_MAX_HEADER_COUNT_DEFAULT
config = uvicorn.Config(app, **uvicorn_kwargs)
# Set header limits
config.h11_max_incomplete_event_size = h11_max_incomplete_event_size
config.h11_max_header_count = h11_max_header_count
# Set header limits
config.h11_max_incomplete_event_size = uvicorn_kwargs.pop(
"h11_max_incomplete_event_size", H11_MAX_INCOMPLETE_EVENT_SIZE_DEFAULT)
config.h11_max_header_count = uvicorn_kwargs.pop(
"h11_max_header_count", H11_MAX_HEADER_COUNT_DEFAULT)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this will break if the options are in uvicorn_kwargs but set to None. The previous code would ensure we overwrote the value if it was either not present or was set to None.

@simon-mo simon-mo added this to the v0.10.1.1 milestone Aug 20, 2025
@DarkLight1337 DarkLight1337 merged commit f77a080 into vllm-project:main Aug 20, 2025
42 of 43 checks passed
simon-mo pushed a commit that referenced this pull request Aug 20, 2025
@russellb @taneem-ibrahim @simon-mo
Limit HTTP header count and size (#23267)
d8b736f 
Signed-off-by: Taneem Ibrahim <[email protected]>
Signed-off-by: Russell Bryant <[email protected]>
Co-authored-by: Taneem Ibrahim <[email protected]>
Signed-off-by: simon-mo <[email protected]>
djmmoss pushed a commit to djmmoss/vllm that referenced this pull request Aug 21, 2025
@russellb @taneem-ibrahim @djmmoss
Limit HTTP header count and size (vllm-project#23267)
58afbd2 
Signed-off-by: Taneem Ibrahim <[email protected]>
Signed-off-by: Russell Bryant <[email protected]>
Co-authored-by: Taneem Ibrahim <[email protected]>
Signed-off-by: Duncan Moss <[email protected]>
shanes-cerebras pushed a commit to smsegal/vllm that referenced this pull request Aug 24, 2025
@russellb @taneem-ibrahim @shanes-cerebras
Limit HTTP header count and size (vllm-project#23267)
ee1415d 
Signed-off-by: Taneem Ibrahim <[email protected]>
Signed-off-by: Russell Bryant <[email protected]>
Co-authored-by: Taneem Ibrahim <[email protected]>
epwalsh pushed a commit to epwalsh/vllm that referenced this pull request Aug 28, 2025
@russellb @taneem-ibrahim @epwalsh
Limit HTTP header count and size (vllm-project#23267)
593d7ec 
Signed-off-by: Taneem Ibrahim <[email protected]>
Signed-off-by: Russell Bryant <[email protected]>
Co-authored-by: Taneem Ibrahim <[email protected]>
xiao-llm pushed a commit to xiao-llm/vllm that referenced this pull request Aug 28, 2025
@russellb @taneem-ibrahim @amd-xiaoyu12
Limit HTTP header count and size (vllm-project#23267)
a6a64a4 
Signed-off-by: Taneem Ibrahim <[email protected]>
Signed-off-by: Russell Bryant <[email protected]>
Co-authored-by: Taneem Ibrahim <[email protected]>
Signed-off-by: Xiao Yu <[email protected]>
zhewenl pushed a commit to zhewenl/vllm that referenced this pull request Aug 28, 2025
@russellb @taneem-ibrahim @zhewenl
Limit HTTP header count and size (vllm-project#23267)
bd11f76 
Signed-off-by: Taneem Ibrahim <[email protected]>
Signed-off-by: Russell Bryant <[email protected]>
Co-authored-by: Taneem Ibrahim <[email protected]>
mengxingkongzhouhan pushed a commit to mengxingkongzhouhan/vllm that referenced this pull request Aug 30, 2025
@russellb @taneem-ibrahim @mengxingkongzhouhan
Limit HTTP header count and size (vllm-project#23267)
08f629b 
Signed-off-by: Taneem Ibrahim <[email protected]>
Signed-off-by: Russell Bryant <[email protected]>
Co-authored-by: Taneem Ibrahim <[email protected]>
zhewenl pushed a commit to zhewenl/vllm that referenced this pull request Sep 3, 2025
@russellb @taneem-ibrahim @zhewenl
Limit HTTP header count and size (vllm-project#23267)
8256361 
Signed-off-by: Taneem Ibrahim <[email protected]>
Signed-off-by: Russell Bryant <[email protected]>
Co-authored-by: Taneem Ibrahim <[email protected]>
dsocek added a commit to HabanaAI/vllm-fork that referenced this pull request Sep 19, 2025
@dsocek @taneem-ibrahim
Limit HTTP header count and size (vllm-project#23267)
6346ee2 
Manually applied cherry-pick of commit d8b736f

Signed-off-by: Taneem Ibrahim <[email protected]>
Signed-off-by: Russell Bryant <[email protected]>
Co-authored-by: Taneem Ibrahim <[email protected]>
Signed-off-by: simon-mo <[email protected]>
FeiDaLI pushed a commit to FeiDaLI/vllm that referenced this pull request Sep 25, 2025
@russellb @taneem-ibrahim @FeiDaLI
Limit HTTP header count and size (vllm-project#23267)
36d1594 
Signed-off-by: Taneem Ibrahim <[email protected]>
Signed-off-by: Russell Bryant <[email protected]>
Co-authored-by: Taneem Ibrahim <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@simon-mo simon-mo simon-mo left review comments

@DarkLight1337 DarkLight1337 DarkLight1337 approved these changes

@aarnphm aarnphm Awaiting requested review from aarnphm aarnphm is a code owner

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
frontend ready ONLY add when PR is ready to merge/full CI is needed
Projects
None yet
Milestone
v0.10.1.1
Development

Successfully merging this pull request may close these issues.
4 participants
@russellb @simon-mo @DarkLight1337 @taneem-ibrahim