What happened
In vLLM 0.3.0 through 0.22.0, the AuthenticationMiddleware reconstructed the request path using Starlette's URL(scope=scope).path, which incorporates the attacker-controlled Host header. By injecting a crafted Host header such as 'localhost/v1/models?' the authentication check — which verified whether the path starts with /v1 — could be bypassed, granting unauthenticated access to any protected API endpoint. Fixed in 0.22.0 by using scope['path'] directly. CVSS 9.1 Critical confirmed by Miggo Security deep analysis.
Why it matters
vLLM is one of the most widely deployed LLM inference engines in production. Auth bypass allows any network-reachable attacker to issue completions, list models, consume GPU resources, and exfiltrate sensitive inference data without any API key — directly undermining the primary access-control mechanism protecting hosted LLM deployments.
Attack vector
HTTP request with a crafted Host header (e.g. Host: localhost/v1/models?) to any vLLM OpenAI-compatible API endpoint; bypasses AuthenticationMiddleware path-prefix check
Affected systems
vLLM >= 0.3.0, < 0.22.0
Mitigation
Upgrade to vLLM 0.22.0 or later. Advisory: https://github.com/vllm-project/vllm/pull/43426