Skip to content

Add filtering for chat template kwargs #25794

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Sep 27, 2025
Merged

Add filtering for chat template kwargs #25794

merged 7 commits into from
Sep 27, 2025
+158 −6

Conversation

@russellb
Copy link
Member

@russellb russellb commented Sep 27, 2025
edited by github-actions bot
Loading

Isotr0py and others added 4 commits September 19, 2025 22:21
@Isotr0py
untrust chat template from request by default
cf29ddd 
Signed-off-by: Isotr0py <mozf@mail2.sysu.edu.cn>
@Isotr0py
avoid chat template kwargs attack
4936dbe 
Signed-off-by: Isotr0py <mozf@mail2.sysu.edu.cn>
@Isotr0py
add chat template kwargs test
04c5021 
Signed-off-by: Isotr0py <mozf@mail2.sysu.edu.cn>
@russellb
Merge remote-tracking branch 'origin/main' into vllm-GHSA-6fvq-23cw-5628
30952a9
@russellb russellb added this to the v0.11.0 Cherry Picks milestone Sep 27, 2025
@mergify mergify bot added the frontend label Sep 27, 2025
gemini-code-assist[bot]
gemini-code-assist bot reviewed Sep 27, 2025
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request addresses a critical security vulnerability (GHSA-6fvq-23cw-5628) related to arbitrary code execution via malicious chat templates. The core of the fix is the new resolve_chat_template_kwargs function, which intelligently filters keyword arguments passed to the Jinja2 template renderer. It ensures that only arguments both supported by the apply_chat_template function and explicitly declared as variables within the template are passed, effectively blocking the injection of a malicious chat_template. The changes also introduce a --trust-request-chat_template flag for defense-in-depth, preventing user-supplied templates from being used unless explicitly allowed. The implementation is robust, and the accompanying tests correctly validate the fix. Overall, this is a solid and important security patch.

@DarkLight1337 DarkLight1337 added the ready ONLY add when PR is ready to merge/full CI is needed label Sep 27, 2025
@DarkLight1337
Copy link
Member

@Isotr0py PTAL at the V1 test failure

@DarkLight1337
Copy link
Member

Let's also reject the request if it passes an untrusted chat template, to avoid silent regressions

@Isotr0py
refuse request with untrust chat template
70f1d84 
Signed-off-by: Isotr0py <mozf@mail2.sysu.edu.cn>
@Isotr0py
fix api server test
95405ad 
Signed-off-by: Isotr0py <mozf@mail2.sysu.edu.cn>
@Isotr0py
fix v1 entrypoint^Cest
a641e9a 
Signed-off-by: Isotr0py <mozf@mail2.sysu.edu.cn>
@DarkLight1337 DarkLight1337 enabled auto-merge (squash) September 27, 2025 09:12
@DarkLight1337 DarkLight1337 merged commit 7977e50 into vllm-project:main Sep 27, 2025
44 checks passed
simon-mo pushed a commit that referenced this pull request Sep 28, 2025
@russellb @Isotr0py @simon-mo
Add filtering for chat template kwargs (#25794)
04c2b26 
Signed-off-by: Isotr0py <mozf@mail2.sysu.edu.cn>
Co-authored-by: Isotr0py <mozf@mail2.sysu.edu.cn>
Signed-off-by: simon-mo <simon.mo@hey.com>
pdasigi pushed a commit to pdasigi/vllm that referenced this pull request Oct 2, 2025
@russellb @Isotr0py @pdasigi
Add filtering for chat template kwargs (vllm-project#25794)
04df893 
Signed-off-by: Isotr0py <mozf@mail2.sysu.edu.cn>
Co-authored-by: Isotr0py <mozf@mail2.sysu.edu.cn>
yewentao256 pushed a commit that referenced this pull request Oct 3, 2025
@russellb @Isotr0py @yewentao256
Add filtering for chat template kwargs (#25794)
1cb6005 
Signed-off-by: Isotr0py <mozf@mail2.sysu.edu.cn>
Co-authored-by: Isotr0py <mozf@mail2.sysu.edu.cn>
Signed-off-by: yewentao256 <zhyanwentao@126.com>
youkaichao
youkaichao reviewed Oct 4, 2025
View reviewed changes
vllm/entrypoints/chat_utils.py
Comment on lines +1621 to +1625
resolved_kwargs = resolve_chat_template_kwargs(
tokenizer=tokenizer,
chat_template=hf_chat_template,
chat_template_kwargs=kwargs,
)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is it called by each request? do we need to cache it?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yea, it's called by each request. This function won't compile the chat template, so I think it won't introduces too much overhead.

Given that kwargs can be various depending on the request's extra body, it's not really applicable to cache it.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add cache in #26227

@youkaichao
Copy link
Member

in which case do we ever use chat template from users? I thought we should just disallow it.

@bbrowning
Copy link
Contributor

We may also want a similar trust_request_chat_template around

vllm/vllm/entrypoints/openai/serving_tokenization.py

Line 83 in 2a6dc67

chat_template=request.chat_template or self.chat_template,

@Isotr0py Isotr0py mentioned this pull request Oct 4, 2025
Merged
5 tasks
xuebwang-amd pushed a commit to xuebwang-amd/vllm that referenced this pull request Oct 10, 2025
@russellb @Isotr0py @xuebwang-amd
Add filtering for chat template kwargs (vllm-project#25794)
2c589ca 
Signed-off-by: Isotr0py <mozf@mail2.sysu.edu.cn>
Co-authored-by: Isotr0py <mozf@mail2.sysu.edu.cn>
Signed-off-by: xuebwang-amd <xuebwang@amd.com>
choprahetarth pushed a commit to Tandemn-Labs/vllm that referenced this pull request Oct 11, 2025
@russellb @Isotr0py @choprahetarth
Add filtering for chat template kwargs (vllm-project#25794)
f789bda 
Signed-off-by: Isotr0py <mozf@mail2.sysu.edu.cn>
Co-authored-by: Isotr0py <mozf@mail2.sysu.edu.cn>
Signed-off-by: simon-mo <simon.mo@hey.com>
shyeh25 pushed a commit to shyeh25/vllm that referenced this pull request Oct 14, 2025
@russellb @Isotr0py @shyeh25
Add filtering for chat template kwargs (vllm-project#25794)
9062fb1 
Signed-off-by: Isotr0py <mozf@mail2.sysu.edu.cn>
Co-authored-by: Isotr0py <mozf@mail2.sysu.edu.cn>
Signed-off-by: simon-mo <simon.mo@hey.com>
lywa1998 pushed a commit to lywa1998/vllm that referenced this pull request Oct 20, 2025
@russellb @Isotr0py @lywa1998
Add filtering for chat template kwargs (vllm-project#25794)
8c3930f 
Signed-off-by: Isotr0py <mozf@mail2.sysu.edu.cn>
Co-authored-by: Isotr0py <mozf@mail2.sysu.edu.cn>
alhridoy pushed a commit to alhridoy/vllm that referenced this pull request Oct 24, 2025
@russellb @Isotr0py @alhridoy
Add filtering for chat template kwargs (vllm-project#25794)
7637bba 
Signed-off-by: Isotr0py <mozf@mail2.sysu.edu.cn>
Co-authored-by: Isotr0py <mozf@mail2.sysu.edu.cn>
xuebwang-amd pushed a commit to xuebwang-amd/vllm that referenced this pull request Oct 24, 2025
@russellb @Isotr0py @xuebwang-amd
Add filtering for chat template kwargs (vllm-project#25794)
1e2d10b 
Signed-off-by: Isotr0py <mozf@mail2.sysu.edu.cn>
Co-authored-by: Isotr0py <mozf@mail2.sysu.edu.cn>
Signed-off-by: xuebwang-amd <xuebwang@amd.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@youkaichao youkaichao youkaichao left review comments

@Isotr0py Isotr0py Isotr0py left review comments

@DarkLight1337 DarkLight1337 DarkLight1337 approved these changes

@robertgshaw2-redhat robertgshaw2-redhat Awaiting requested review from robertgshaw2-redhat robertgshaw2-redhat is a code owner

@simon-mo simon-mo Awaiting requested review from simon-mo simon-mo is a code owner

@aarnphm aarnphm Awaiting requested review from aarnphm aarnphm is a code owner

@NickLucche NickLucche Awaiting requested review from NickLucche NickLucche is a code owner

@chaunceyjiang chaunceyjiang Awaiting requested review from chaunceyjiang chaunceyjiang is a code owner

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

frontend ready ONLY add when PR is ready to merge/full CI is needed

Projects

None yet

Milestone

v0.11.0 Cherry Picks

Development

Successfully merging this pull request may close these issues.

5 participants

@russellb @DarkLight1337 @youkaichao @bbrowning @Isotr0py