Skip to content

[Frontend] Require flag for loading text and image embeds #27204

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 18 commits into from
Oct 22, 2025
Merged

[Frontend] Require flag for loading text and image embeds #27204

merged 18 commits into from
Oct 22, 2025

Conversation

@russellb
Copy link
Member

@russellb russellb commented Oct 20, 2025
edited by github-actions bot
Loading

@mergify
Copy link

mergify bot commented Oct 20, 2025

Documentation preview: https://vllm--27204.org.readthedocs.build/en/27204/

@mergify mergify bot added documentation Improvements or additions to documentation frontend multi-modality Related to multi-modality (#4194) qwen Related to Qwen models labels Oct 20, 2025
@russellb
Copy link
Member Author

Already approved by @Isotr0py and @ywang96

gemini-code-assist[bot]
gemini-code-assist bot reviewed Oct 20, 2025
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request addresses security vulnerabilities GHSA-mrw7-hf4f-83pf and GHSA-pmqf-x6x8-p7qw by introducing --enable-prompt-embeds and --enable-mm-embeds flags. These flags gate the functionality of loading user-provided text and multimodal embeddings, which can be a security risk. The changes are well-implemented across the configuration, core logic, and entrypoints, with checks to ensure the flags are respected. The documentation has been updated with clear warnings, and new tests have been added to verify the behavior. The implementation appears correct and robust. I have not found any issues in this pull request.

@russellb russellb mentioned this pull request Oct 20, 2025
Closed
3 tasks
@github-actions github-actions bot added the ready ONLY add when PR is ready to merge/full CI is needed label Oct 20, 2025
@DarkLight1337 DarkLight1337 enabled auto-merge (squash) October 20, 2025 15:22
@simon-mo simon-mo added this to the v0.11.1 milestone Oct 20, 2025
@mergify mergify bot added the v1 label Oct 21, 2025
@DarkLight1337
More updates
1108e18 
Signed-off-by: DarkLight1337 <[email protected]>
@DarkLight1337
Copy link
Member

cc @christian-pinto --enable-mm-embeds flag will be required for using terratorch models going forward.

@DarkLight1337 DarkLight1337 requested a review from noooop as a code owner October 21, 2025 02:43
@DarkLight1337 DarkLight1337 merged commit 58fab50 into main Oct 22, 2025
57 checks passed
@DarkLight1337 DarkLight1337 deleted the vllm-ghsa-pmqf-x6x8-p7qw branch October 22, 2025 15:52
qthequartermasterman
qthequartermasterman reviewed Oct 22, 2025
View reviewed changes
vllm/config/model.py
`prompt_embeds` key.
WARNING: The vLLM engine may crash if incorrect shape of embeddings is passed.
Only enable this flag for trusted users!"""
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should a shape check be added to the renderer?

Copy link
Member

@DarkLight1337 DarkLight1337 Oct 23, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The shape depends on the embedding size of each model so it requires a lot more effort to perform shape validation outside of the model class.

@noooop noooop mentioned this pull request Oct 23, 2025
Merged
5 tasks
@DarkLight1337 DarkLight1337 mentioned this pull request Oct 23, 2025
Merged
5 tasks
usberkeley pushed a commit to usberkeley/vllm that referenced this pull request Oct 23, 2025
@russellb @DarkLight1337 @usberkeley
[Frontend] Require flag for loading text and image embeds (vllm-proje…
cfcadb3 
…ct#27204)

Signed-off-by: DarkLight1337 <[email protected]>
Co-authored-by: DarkLight1337 <[email protected]>
albertoperdomo2 pushed a commit to albertoperdomo2/vllm that referenced this pull request Oct 23, 2025
@russellb @DarkLight1337 @albertoperdomo2
[Frontend] Require flag for loading text and image embeds (vllm-proje…
c8b671a 
…ct#27204)

Signed-off-by: DarkLight1337 <[email protected]>
Co-authored-by: DarkLight1337 <[email protected]>
Signed-off-by: Alberto Perdomo <[email protected]>
kingsmad pushed a commit to kingsmad/vllm that referenced this pull request Oct 25, 2025
@russellb @DarkLight1337 @kingsmad
[Frontend] Require flag for loading text and image embeds (vllm-proje…
e48aafc 
…ct#27204)

Signed-off-by: DarkLight1337 <[email protected]>
Co-authored-by: DarkLight1337 <[email protected]>
0xrushi pushed a commit to 0xrushi/vllm that referenced this pull request Oct 26, 2025
@russellb @DarkLight1337 @0xrushi
[Frontend] Require flag for loading text and image embeds (vllm-proje…
1b6dc44 
…ct#27204)

Signed-off-by: DarkLight1337 <[email protected]>
Co-authored-by: DarkLight1337 <[email protected]>
Signed-off-by: 0xrushi <[email protected]>
0xrushi pushed a commit to 0xrushi/vllm that referenced this pull request Oct 26, 2025
@russellb @DarkLight1337 @0xrushi
[Frontend] Require flag for loading text and image embeds (vllm-proje…
0718bab 
…ct#27204)

Signed-off-by: DarkLight1337 <[email protected]>
Co-authored-by: DarkLight1337 <[email protected]>
Signed-off-by: 0xrushi <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DarkLight1337 DarkLight1337 DarkLight1337 approved these changes

@Isotr0py Isotr0py Isotr0py approved these changes

@ywang96 ywang96 Awaiting requested review from ywang96 ywang96 is a code owner

@robertgshaw2-redhat robertgshaw2-redhat Awaiting requested review from robertgshaw2-redhat robertgshaw2-redhat is a code owner

@simon-mo simon-mo Awaiting requested review from simon-mo simon-mo is a code owner

@aarnphm aarnphm Awaiting requested review from aarnphm aarnphm is a code owner

@NickLucche NickLucche Awaiting requested review from NickLucche NickLucche is a code owner

@WoosukKwon WoosukKwon Awaiting requested review from WoosukKwon WoosukKwon is a code owner

@youkaichao youkaichao Awaiting requested review from youkaichao youkaichao is a code owner

@mgoin mgoin Awaiting requested review from mgoin mgoin is a code owner

@tlrmchlsmth tlrmchlsmth Awaiting requested review from tlrmchlsmth tlrmchlsmth is a code owner

@houseroad houseroad Awaiting requested review from houseroad houseroad is a code owner

@hmellor hmellor Awaiting requested review from hmellor hmellor is a code owner

@yewentao256 yewentao256 Awaiting requested review from yewentao256 yewentao256 is a code owner

@ProExpertProg ProExpertProg Awaiting requested review from ProExpertProg ProExpertProg is a code owner

@chaunceyjiang chaunceyjiang Awaiting requested review from chaunceyjiang chaunceyjiang is a code owner

@noooop noooop Awaiting requested review from noooop noooop is a code owner

+2 more reviewers

@qthequartermasterman qthequartermasterman qthequartermasterman left review comments

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation frontend multi-modality Related to multi-modality (#4194) qwen Related to Qwen models ready ONLY add when PR is ready to merge/full CI is needed v1

Projects

None yet

Milestone

v0.11.1

Development

Successfully merging this pull request may close these issues.

6 participants

@russellb @DarkLight1337 @qthequartermasterman @Isotr0py @simon-mo @aarnphm