CVE-2026-0599
Unbounded External Image Fetching in Huggingface Text-Generation Causes Resource Exhaustion
Publication date: 2026-02-02
Last updated on: 2026-02-02
Assigner: huntr.dev
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| huggingface | text-generation-inference | to 3.3.7 (exc) |
| huggingface | text-generation-inference | 3.3.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in huggingface/text-generation-inference version 3.3.6, where unauthenticated remote attackers can exploit unbounded external image fetching during input validation in VLM mode. The system scans inputs for Markdown image links and performs blocking HTTP GET requests to fetch these images, reading the entire response body into memory and cloning it before decoding. This unbounded fetching can lead to resource exhaustion such as network bandwidth saturation, memory inflation, and CPU overutilization. The vulnerability can be triggered even if the request is later rejected for exceeding token limits. The default deployment lacks memory usage limits and authentication, which can cause the host machine to crash. The issue is fixed in version 3.3.7 by introducing a configurable maximum image fetch size limit to prevent excessively large image payloads from being fetched and processed. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by causing resource exhaustion on the host machine running the vulnerable software. Specifically, it can saturate network bandwidth, inflate memory usage, and overutilize CPU resources, potentially leading to a crash of the host machine. Since the vulnerability can be exploited by unauthenticated remote attackers, it poses a risk of denial-of-service attacks that disrupt service availability. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can focus on monitoring for unusual HTTP GET requests initiated by the huggingface/text-generation-inference service, especially those fetching large external images embedded in Markdown inputs. Network monitoring tools or packet capture utilities (e.g., tcpdump or Wireshark) can be used to identify outbound HTTP requests to external image URLs. Additionally, inspecting logs of the inference server for repeated or large image fetch attempts may help. Specific commands could include: 1. Using tcpdump to capture HTTP GET requests from the server: tcpdump -i <interface> 'tcp port 80 or tcp port 443' and filtering for requests from the text-generation-inference process IP. 2. Using curl or wget to test fetching large images via Markdown input to see if the server attempts to fetch them. 3. Checking server resource usage (memory, CPU) spikes during inference requests that include Markdown image links. However, no explicit detection commands are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading huggingface/text-generation-inference to version 3.3.7 or later, where the vulnerability is fixed by introducing a configurable maximum image fetch size limit (`max_image_fetch_size`) that prevents unbounded image fetching and resource exhaustion. Additionally, configuring this parameter to a reasonable size limit (default 1 GB or lower) can help prevent denial-of-service attacks. Implementing authentication and memory usage limits in the deployment configuration can further reduce risk. Until upgrade, monitoring and restricting outbound HTTP requests from the inference server may help mitigate exploitation. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated remote attackers to cause resource exhaustion through unbounded external image fetching, potentially crashing the host machine. This can lead to denial of service and availability issues.
While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, the availability impact could indirectly affect compliance, as these regulations require maintaining system availability and protecting against denial-of-service attacks.
The default deployment lacks authentication and memory limits, which exacerbates the risk, potentially violating best practices for secure system configuration required by many compliance frameworks.
The fix introduced in version 3.3.7 adds a configurable maximum image fetch size limit to prevent resource exhaustion, improving security posture and helping maintain compliance with availability and security requirements.