DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-8JR5-V98P-W75M: GHSA-8JR5-V98P-W75M: Perception Desynchronization via Unnormalized EXIF Orientation and PNG Transparency in vLLM

#security #cve #cybersecurity #ghsa

GHSA-8JR5-V98P-W75M: Perception Desynchronization via Unnormalized EXIF Orientation and PNG Transparency in vLLM

Vulnerability ID: GHSA-8JR5-V98P-W75M
CVSS Score: 8.6
Published: 2026-06-17

A critical preprocessing mismatch exists in vLLM's multimodal image pipeline before commit cf1c90672404548aa3bc51f92c4745576a65ee26. The vulnerability occurs because the engine loads user-submitted images and passes them to underlying Vision-Language Models (VLMs) without normalizing their EXIF orientation metadata or fully resolving complex transparency structures. This gap creates a perception desynchronization vulnerability where the physical pixel grid processed by the AI model differs significantly from how the image is visually rendered to human moderators or frontend applications. Attackers can exploit this mismatch to perform silent prompt injections, bypass safety moderation systems, or execute adversarial jailbreaks.

TL;DR

vLLM failed to normalize image EXIF orientation and PNG transparency metadata. This causes Vision-Language Models to see a different image (e.g., rotated or with visible high-contrast text) than what is visually shown to human moderators, enabling silent prompt injections and safety bypasses.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-1156 / CWE-436
  • Attack Vector: Network
  • CVSS: 8.6
  • Impact: Perception Desynchronization / Security Bypass
  • Exploit Status: PoC Available
  • KEV Status: Not Listed

Affected Systems

  • vllm
  • vllm: < commit cf1c90672404548aa3bc51f92c4745576a65ee26 (Fixed in: commit cf1c90672404548aa3bc51f92c4745576a65ee26)

Code Analysis

Commit: cf1c906

Fix image preprocessing bugs (EXIF and transparency)

Exploit Details

  • GitHub Security Advisory: Proof of Concept validation code demonstrating transparency and EXIF manipulation using Pillow.

Mitigation Strategies

  • Upgrade vLLM to a secure release containing Commit cf1c90672404548aa3bc51f92c4745576a65ee26.
  • Deploy custom preprocessing middleware to normalize incoming image payloads before they reach the inference pipeline.
  • Align backend alpha-blending canvas colors with standard frontend rendering background colors.

Remediation Steps:

  1. Identify all deployment instances of vLLM processing multimodal image inputs.
  2. Apply the patch from commit cf1c90672404548aa3bc51f92c4745576a65ee26 or update the vLLM python package to the latest version.
  3. Implement visual test cases using custom tRNS PNG files to verify that transparent areas are correctly flattened to white.
  4. Verify EXIF orientation parsing by submitting rotated images with valid EXIF headers and asserting correct model spatial logic.

References

Read the full report for GHSA-8JR5-V98P-W75M on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)