CVE-2026-0599

NONE EPSS 97.5%
Published Feb 2, 20264mo ago · Modified Jun 17, 20261w ago
Find Similar
Published Feb 2, 2026 4mo ago
Last Modified Jun 17, 2026 1w ago

Description

A vulnerability in huggingface/text-generation-inference version 3.3.6 allows unauthenticated remote attackers to exploit unbounded external image fetching during input validation in VLM mode. The issue arises when the router scans inputs for Markdown image links and performs a blocking HTTP GET request, reading the entire response body into memory and cloning it before decoding. This behavior can lead to resource exhaustion, including network bandwidth saturation, memory inflation, and CPU overutilization. The vulnerability is triggered even if the request is later rejected for exceeding token limits. The default deployment configuration, which lacks memory usage limits and authentication, exacerbates the impact, potentially crashing the host machine. The issue is resolved in version 3.3.7.

Threat Intelligence

EPSS Exploit Probability
97.5% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-400 Uncontrolled Resource Consumption Resource Mgmt

References 2

  • github.com https://github.com/huggingface/text-generation-inference/commit/24ee40d143d8d046039f12f76940a85886cbe152
  • huntr.com https://huntr.com/bounties/1d3f2085-666c-4441-b265-22f6f7d8d9cd

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.