Patch Protobuf for CVE 2026-0994#33619
Conversation
|
👋 Hi! Thank you for contributing to the vLLM project. 💬 Join our developer Slack at https://slack.vllm.ai to discuss your PR in #pr-reviews, coordinate on features in #feat- channels, or join special interest groups in #sig- channels. Just a reminder: PRs would not trigger full CI run by default. Instead, it would only run You ask your reviewers to trigger select CI tests on top of Once the PR is approved and ready to go, your PR reviewer(s) can run CI to test the changes comprehensively before merging. To run CI, PR reviewers can either: Add If you have any questions, please reach out to us on Slack at https://slack.vllm.ai. 🚀 |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request aims to patch a security vulnerability in the protobuf package. However, the specified version 6.33.5 is invalid and does not exist, which would cause dependency installation to fail. Additionally, the CVE number referenced in the pull request title, description, and code comments appears to be a typo. Based on the linked security advisory, the correct CVE is CVE-2022-3171.
I have provided suggestions to update the version to a valid patched version (>= 4.21.9, <5) and correct the CVE number. It would also be good to update the PR title to reflect the correct CVE.
| @@ -9,5 +9,5 @@ wheel | |||
| jinja2>=3.1.6 | |||
| regex | |||
| build | |||
| protobuf | |||
| protobuf >= 6.33.5 | |||
There was a problem hiding this comment.
The specified protobuf version 6.33.5 does not exist. This will cause dependency installation to fail.
Based on the security advisory linked in the pull request description (GHSA-7gcm-g887-7qv7), a patched version should be used. To fix the vulnerability while staying on the 4.x series of protobuf, I recommend using protobuf >= 4.21.9, <5.
protobuf >= 4.21.9, <5
| @@ -9,7 +9,7 @@ blake3 | |||
| py-cpuinfo | |||
| transformers >= 4.56.0, < 5 | |||
| tokenizers >= 0.21.1 # Required for fast incremental detokenization. | |||
| protobuf # Required by LlamaTokenizer, gRPC. | |||
| protobuf >= 6.33.5 # Required by LlamaTokenizer, gRPC. CVE-2026-0994 | |||
There was a problem hiding this comment.
The specified protobuf version 6.33.5 is incorrect and does not exist. Additionally, the CVE number CVE-2026-0994 is a typo. The correct CVE for the linked advisory is CVE-2022-3171.
I suggest updating both the version and the CVE number in the comment. To fix the vulnerability while staying on the 4.x series of protobuf, a safe version pin would be >= 4.21.9, <5.
protobuf >= 4.21.9, <5 # Required by LlamaTokenizer, gRPC. CVE-2022-3171
Signed-off-by: Zachary Aristei <zaristei@nvidia.com>
zaristei2
force-pushed
the
zaristei/CVE-2026-0994
branch
from
9530caa to
0073e44
Compare
Pin protobuf >= 5.29.6 and exclude vulnerable 6.30.0-6.33.4 range. This is the main branch counterpart to vllm-project#33619 which only targeted the v0.15.1 patch release. Signed-off-by: Seiji Eicher <seiji@anyscale.com>
3 participants
Purpose
Fixes PB for CVE 2026-0994 for 0.15.1