CVE-2025-48887Regex Denial of Service in Vllm

CWE-1333Regex Denial of Service5 documents4 sources
Severity
6.5MEDIUMNVD
EPSS
0.3%
top 42.89%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
VllmVllm-project Vllm
Timeline
PublishedMay 30

Description

vLLM, an inference and serving engine for large language models (LLMs), has a Regular Expression Denial of Service (ReDoS) vulnerability in the file `vllm/entrypoints/openai/tool_parsers/pythonic_tool_parser.py` of versions 0.6.4 up to but excluding 0.9.0. The root cause is the use of a highly complex and nested regular expression for tool call detection, which can be exploited by an attacker to cause severe performance degradation or make the service unavailable. The pattern contains multiple n

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

NVDvllm/vllm0.6.40.9.0
PyPIvllm/vllm0.6.40.9.0+1
CVEListV5vllm-project/vllm>= 0.6.4, < 0.9.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
OSV
CVE-2025-48887: vLLM, an inference and serving engine for large language models (LLMs), has a Regular Expression Denial of Service (ReDoS) vulnerability in the file `2025-05-30
GHSA
vLLM has a Regular Expression Denial of Service (ReDoS, Exponential Complexity) Vulnerability in `pythonic_tool_parser.py`2025-05-28
OSV
vLLM has a Regular Expression Denial of Service (ReDoS, Exponential Complexity) Vulnerability in `pythonic_tool_parser.py`2025-05-28

📋Vendor Advisories

1
Red Hat
vllm: vLLM has a Regular Expression Denial of Service (ReDoS) Vulnerability2025-05-30