◈ AI Security Intelligence ← All terms
Attack  ·  Glossary

Decompression bomb (AI inference denial of service)

Definition
A specially crafted, tiny file — often an audio or archive file — that expands to an enormous size (e.g. a 25 MB file expanding to nearly 15 GB) when an AI server processes it. Sending a single such file can exhaust the server's memory and crash it, taking down the AI service for all users.
Why it matters
Any AI service that accepts file uploads — for transcription, document processing, or analysis — can be taken offline by a single unauthenticated request costing the attacker nothing, while the business loses access to its AI tools. vLLM, one of the most widely deployed AI serving engines, was found vulnerable to exactly this.
Demonstrated by recent findings
vLLM Audio Transcription Endpoint Decompression Bomb (25 MB OPUS → 14.9 GB PCM)
References
OWASP LLM Top 10 — LLM10:2025 Unbounded Consumption
Track this in the live feed See how this plays out in real AI security and governance developments.
Open the feed →