cbcvebase.
CVE-2025-48887
published 2025-05-30

CVE-2025-48887: vLLM, an inference and serving engine for large language models (LLMs), has a Regular Expression Denial of Service (ReDoS) vulnerability in the file…

PriorityP433medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
0.43%
34.2th percentile
vLLM, an inference and serving engine for large language models (LLMs), has a Regular Expression Denial of Service (ReDoS) vulnerability in the file `vllm/entrypoints/openai/tool_parsers/pythonic_tool_parser.py` of versions 0.6.4 up to but excluding 0.9.0. The root cause is the use of a highly complex and nested regular expression for tool call detection, which can be exploited by an attacker to cause severe performance degradation or make the service unavailable. The pattern contains multiple nested quantifiers, optional groups, and inner repetitions which make it vulnerable to catastrophic backtracking. Version 0.9.0 contains a patch for the issue.

Affected

4 ranges
VendorProductVersion rangeFixed in
vllm-projectvllm
vllmvllm>= 0 < 4fc1bf813ad80172c1db31264beaef7d93fe06014fc1bf813ad80172c1db31264beaef7d93fe0601
vllmvllm>= 0.6.4 < 0.9.00.9.0
vllmvllm>= 0.6.4 < 0.9.00.9.0

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.