Skip to content

Add filtering for chat template kwargs#25794

Merged
DarkLight1337 merged 7 commits intovllm-project:mainfrom
russellb:vllm-ghsa-6fvq-23cw-5628
Sep 27, 2025
Merged

Add filtering for chat template kwargs#25794
DarkLight1337 merged 7 commits intovllm-project:mainfrom
russellb:vllm-ghsa-6fvq-23cw-5628

Conversation

@russellb
Copy link
Member

@russellb russellb commented Sep 27, 2025
edited by github-actions bot
Loading

Isotr0py and others added 4 commits September 19, 2025 22:21
@Isotr0py
untrust chat template from request by default
cf29ddd 
Signed-off-by: Isotr0py <mozf@mail2.sysu.edu.cn>
@Isotr0py
avoid chat template kwargs attack
4936dbe 
Signed-off-by: Isotr0py <mozf@mail2.sysu.edu.cn>
@Isotr0py
add chat template kwargs test
04c5021 
Signed-off-by: Isotr0py <mozf@mail2.sysu.edu.cn>
@russellb
Merge remote-tracking branch 'origin/main' into vllm-GHSA-6fvq-23cw-5628
30952a9
@russellb russellb added this to the v0.11.0 Cherry Picks milestone Sep 27, 2025
@mergify mergify bot added the frontend label Sep 27, 2025
gemini-code-assist[bot]
gemini-code-assist bot reviewed Sep 27, 2025
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request addresses a critical security vulnerability (GHSA-6fvq-23cw-5628) related to arbitrary code execution via malicious chat templates. The core of the fix is the new resolve_chat_template_kwargs function, which intelligently filters keyword arguments passed to the Jinja2 template renderer. It ensures that only arguments both supported by the apply_chat_template function and explicitly declared as variables within the template are passed, effectively blocking the injection of a malicious chat_template. The changes also introduce a --trust-request-chat_template flag for defense-in-depth, preventing user-supplied templates from being used unless explicitly allowed. The implementation is robust, and the accompanying tests correctly validate the fix. Overall, this is a solid and important security patch.

@DarkLight1337 DarkLight1337 added the ready ONLY add when PR is ready to merge/full CI is needed label Sep 27, 2025
@DarkLight1337
Copy link
Member

DarkLight1337 commented Sep 27, 2025

@Isotr0py PTAL at the V1 test failure

@DarkLight1337
Copy link
Member

DarkLight1337 commented Sep 27, 2025

Let's also reject the request if it passes an untrusted chat template, to avoid silent regressions

@Isotr0py
refuse request with untrust chat template
70f1d84 
Signed-off-by: Isotr0py <mozf@mail2.sysu.edu.cn>
@Isotr0py
fix api server test
95405ad 
Signed-off-by: Isotr0py <mozf@mail2.sysu.edu.cn>
@Isotr0py
fix v1 entrypoint^Cest
a641e9a 
Signed-off-by: Isotr0py <mozf@mail2.sysu.edu.cn>
@DarkLight1337 DarkLight1337 enabled auto-merge (squash) September 27, 2025 09:12
@DarkLight1337 DarkLight1337 merged commit 7977e50 into vllm-project:main Sep 27, 2025
44 checks passed
simon-mo pushed a commit that referenced this pull request Sep 28, 2025
@russellb @Isotr0py @simon-mo
Add filtering for chat template kwargs (#25794)
04c2b26 
Signed-off-by: Isotr0py <mozf@mail2.sysu.edu.cn>
Co-authored-by: Isotr0py <mozf@mail2.sysu.edu.cn>
Signed-off-by: simon-mo <simon.mo@hey.com>
pdasigi pushed a commit to pdasigi/vllm that referenced this pull request Oct 2, 2025
@russellb @Isotr0py @pdasigi
Add filtering for chat template kwargs (vllm-project#25794)
04df893 
Signed-off-by: Isotr0py <mozf@mail2.sysu.edu.cn>
Co-authored-by: Isotr0py <mozf@mail2.sysu.edu.cn>
yewentao256 pushed a commit that referenced this pull request Oct 3, 2025
@russellb @Isotr0py @yewentao256
Add filtering for chat template kwargs (#25794)
1cb6005 
Signed-off-by: Isotr0py <mozf@mail2.sysu.edu.cn>
Co-authored-by: Isotr0py <mozf@mail2.sysu.edu.cn>
Signed-off-by: yewentao256 <zhyanwentao@126.com>
youkaichao
youkaichao reviewed Oct 4, 2025
View reviewed changes
vllm/entrypoints/chat_utils.py
Comment on lines +1621 to +1625
resolved_kwargs = resolve_chat_template_kwargs(
tokenizer=tokenizer,
chat_template=hf_chat_template,
chat_template_kwargs=kwargs,
)
Copy link
Member

@youkaichao youkaichao Oct 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is it called by each request? do we need to cache it?

Copy link
Member

@Isotr0py Isotr0py Oct 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yea, it's called by each request. This function won't compile the chat template, so I think it won't introduces too much overhead.

Given that kwargs can be various depending on the request's extra body, it's not really applicable to cache it.

Copy link
Member

@Isotr0py Isotr0py Oct 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add cache in #26227

Copy link
Contributor

@Eviannn Eviannn Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yea, it's called by each request. This function won't compile the chat template, so I think it won't introduces too much overhead.

Given that kwargs can be various depending on the request's extra body, it's not really applicable to cache it.

using npu(ascend 910c) it costs about 10-20ms, it is great to cache it

Copy link

@wuwenbin wuwenbin Dec 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems this change might be linked to a ~10x latency jump we saw in our benchmarks on 0.11.0 (where CPU hit 100%).
The caching in 0.11.1 appears to solve it, but upgrading is a bit tricky since it requires CUDA ≥ 12.9.

Copy link
Member

@DarkLight1337 DarkLight1337 Dec 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can still use older CUDA versions if you install vLLM from source.

@youkaichao
Copy link
Member

youkaichao commented Oct 4, 2025

in which case do we ever use chat template from users? I thought we should just disallow it.

@bbrowning
Copy link
Contributor

bbrowning commented Oct 4, 2025

We may also want a similar trust_request_chat_template around

vllm/vllm/entrypoints/openai/serving_tokenization.py

Line 83 in 2a6dc67

chat_template=request.chat_template or self.chat_template,

@Isotr0py Isotr0py mentioned this pull request Oct 4, 2025
Merged
5 tasks
choprahetarth pushed a commit to Tandemn-Labs/vllm that referenced this pull request Oct 11, 2025
@russellb @Isotr0py @choprahetarth
Add filtering for chat template kwargs (vllm-project#25794)
f789bda 
Signed-off-by: Isotr0py <mozf@mail2.sysu.edu.cn>
Co-authored-by: Isotr0py <mozf@mail2.sysu.edu.cn>
Signed-off-by: simon-mo <simon.mo@hey.com>
shyeh25 pushed a commit to shyeh25/vllm that referenced this pull request Oct 14, 2025
@russellb @Isotr0py @shyeh25
Add filtering for chat template kwargs (vllm-project#25794)
9062fb1 
Signed-off-by: Isotr0py <mozf@mail2.sysu.edu.cn>
Co-authored-by: Isotr0py <mozf@mail2.sysu.edu.cn>
Signed-off-by: simon-mo <simon.mo@hey.com>
lywa1998 pushed a commit to lywa1998/vllm that referenced this pull request Oct 20, 2025
@russellb @Isotr0py @lywa1998
Add filtering for chat template kwargs (vllm-project#25794)
8c3930f 
Signed-off-by: Isotr0py <mozf@mail2.sysu.edu.cn>
Co-authored-by: Isotr0py <mozf@mail2.sysu.edu.cn>
alhridoy pushed a commit to alhridoy/vllm that referenced this pull request Oct 24, 2025
@russellb @Isotr0py @alhridoy
Add filtering for chat template kwargs (vllm-project#25794)
7637bba 
Signed-off-by: Isotr0py <mozf@mail2.sysu.edu.cn>
Co-authored-by: Isotr0py <mozf@mail2.sysu.edu.cn>
@wangln19 wangln19 mentioned this pull request Oct 28, 2025
Merged
5 tasks
rtourgeman pushed a commit to rtourgeman/vllm that referenced this pull request Nov 10, 2025
@russellb @Isotr0py @rtourgeman
Add filtering for chat template kwargs (vllm-project#25794)
971d41a 
Signed-off-by: Isotr0py <mozf@mail2.sysu.edu.cn>
Co-authored-by: Isotr0py <mozf@mail2.sysu.edu.cn>
@LaRiffle LaRiffle mentioned this pull request Mar 11, 2026
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@youkaichao youkaichao youkaichao left review comments

@Isotr0py Isotr0py Isotr0py left review comments

@DarkLight1337 DarkLight1337 DarkLight1337 approved these changes

@robertgshaw2-redhat robertgshaw2-redhat Awaiting requested review from robertgshaw2-redhat robertgshaw2-redhat is a code owner

@simon-mo simon-mo Awaiting requested review from simon-mo

@aarnphm aarnphm Awaiting requested review from aarnphm aarnphm is a code owner

@NickLucche NickLucche Awaiting requested review from NickLucche NickLucche is a code owner

@chaunceyjiang chaunceyjiang Awaiting requested review from chaunceyjiang chaunceyjiang is a code owner

+3 more reviewers

@wuwenbin wuwenbin wuwenbin left review comments

@Eviannn Eviannn Eviannn left review comments

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

frontend ready ONLY add when PR is ready to merge/full CI is needed

Projects

None yet

Milestone

v0.11.0 Cherry Picks

Development

Successfully merging this pull request may close these issues.

7 participants

@russellb @DarkLight1337 @youkaichao @bbrowning @wuwenbin @Isotr0py @Eviannn