CVE-2025-48942
published 2025-05-30CVE-2025-48942: vLLM is an inference and serving engine for large language models (LLMs). In versions 0.8.0 up to but excluding 0.9.0, hitting the /v1/completions API with a…
PriorityP433medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
0.45%
36.1th percentile
vLLM is an inference and serving engine for large language models (LLMs). In versions 0.8.0 up to but excluding 0.9.0, hitting the /v1/completions API with a invalid json_schema as a Guided Param kills the vllm server. This vulnerability is similar GHSA-9hcf-v7m4-6m2j/CVE-2025-48943, but for regex instead of a JSON schema. Version 0.9.0 fixes the issue.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vllm-project | vllm | — | — |
| vllm | vllm | >= 0 < 08bf7840780980c7568c573c70a6a8db94fd45ff | 08bf7840780980c7568c573c70a6a8db94fd45ff |
| vllm | vllm | >= 0.8.0 < 0.9.0 | 0.9.0 |
| vllm | vllm | >= 0.8.0 < 0.9.0 | 0.9.0 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
osv6.5MEDIUM
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2025-48943: vLLM is an inference and serving engine for large language models (LLMs)
osv·2025-05-30·CVSS 6.5
CVE-2025-48943 [MEDIUM] CVE-2025-48943: vLLM is an inference and serving engine for large language models (LLMs)
vLLM is an inference and serving engine for large language models (LLMs). Version 0.8.0 up to but excluding 0.9.0 have a Denial of Service (ReDoS) that causes the vLLM server to crash if an invalid regex was provided while using structured output. This vulnerability is similar to GHSA-6qc9-v4r8-22xg/CVE-2025-48942, but for regex instead of a JSON schema. Version 0.9.0 fixes the issue.
OSV
CVE-2025-48942: vLLM is an inference and serving engine for large language models (LLMs)
osv·2025-05-30·CVSS 6.5
CVE-2025-48942 [MEDIUM] CVE-2025-48942: vLLM is an inference and serving engine for large language models (LLMs)
vLLM is an inference and serving engine for large language models (LLMs). In versions 0.8.0 up to but excluding 0.9.0, hitting the /v1/completions API with a invalid json_schema as a Guided Param kills the vllm server. This vulnerability is similar GHSA-9hcf-v7m4-6m2j/CVE-2025-48943, but for regex instead of a JSON schema. Version 0.9.0 fixes the issue.
OSV
vLLM DOS: Remotely kill vllm over http with invalid JSON schema
osv·2025-05-28
CVE-2025-48942 [MEDIUM] vLLM DOS: Remotely kill vllm over http with invalid JSON schema
vLLM DOS: Remotely kill vllm over http with invalid JSON schema
### Summary
Hitting the /v1/completions API with a invalid json_schema as a Guided Param will kill the vllm server
### Details
The following API call
`(venv) [derekh@ip-172-31-15-108 ]$ curl -s http://localhost:8000/v1/completions -H "Content-Type: application/json" -d '{"model": "meta-llama/Llama-3.2-3B-Instruct","prompt": "Name two great reasons to visit Sligo ", "max_tokens": 10, "temperature": 0.5, "guided_json":"{\"properties\":{\"reason\":{\"type\": \"stsring\"}}}"}'
`
will provoke a Uncaught exceptions from xgrammer in
`./lib64/python3.11/site-packages/xgrammar/compiler.py
`
Issue with more information: https://github.com/vllm-project/vllm/issues/17248
### PoC
Make a call to vllm with invalid json_scema e.g. `{\"pr
GHSA
vLLM DOS: Remotely kill vllm over http with invalid JSON schema
ghsa·2025-05-28
CVE-2025-48942 [MEDIUM] CWE-248 vLLM DOS: Remotely kill vllm over http with invalid JSON schema
vLLM DOS: Remotely kill vllm over http with invalid JSON schema
### Summary
Hitting the /v1/completions API with a invalid json_schema as a Guided Param will kill the vllm server
### Details
The following API call
`(venv) [derekh@ip-172-31-15-108 ]$ curl -s http://localhost:8000/v1/completions -H "Content-Type: application/json" -d '{"model": "meta-llama/Llama-3.2-3B-Instruct","prompt": "Name two great reasons to visit Sligo ", "max_tokens": 10, "temperature": 0.5, "guided_json":"{\"properties\":{\"reason\":{\"type\": \"stsring\"}}}"}'
`
will provoke a Uncaught exceptions from xgrammer in
`./lib64/python3.11/site-packages/xgrammar/compiler.py
`
Issue with more information: https://github.com/vllm-project/vllm/issues/17248
### PoC
Make a call to vllm with invalid json_scema e.g. `{\"pr
Red Hat
vllm: Remote crash of vllm server with invalid regex
vendor_redhat·2025-05-30·CVSS 6.5
CVE-2025-48943 [MEDIUM] CWE-248 vllm: Remote crash of vllm server with invalid regex
vllm: Remote crash of vllm server with invalid regex
vLLM is an inference and serving engine for large language models (LLMs). Version 0.8.0 up to but excluding 0.9.0 have a Denial of Service (ReDoS) that causes the vLLM server to crash if an invalid regex was provided while using structured output. This vulnerability is similar to GHSA-6qc9-v4r8-22xg/CVE-2025-48942, but for regex instead of a JSON schema. Version 0.9.0 fixes the issue.
An application level denial of service flaw was found in vLLM. This flaw allows a remote attacker with access to the system prompt to submit an invalid regular expression while requesting structured output and crash the vLLM instance.
Statement: The severity of this vulnerability is rated Moderate, as it does not impact system availability. The effects a
Red Hat
vllm: vLLM denial of service via invalid JSON schema
vendor_redhat·2025-05-30·CVSS 6.5
CVE-2025-48942 [MEDIUM] CWE-248 vllm: vLLM denial of service via invalid JSON schema
vllm: vLLM denial of service via invalid JSON schema
vLLM is an inference and serving engine for large language models (LLMs). In versions 0.8.0 up to but excluding 0.9.0, hitting the /v1/completions API with a invalid json_schema as a Guided Param kills the vllm server. This vulnerability is similar GHSA-9hcf-v7m4-6m2j/CVE-2025-48943, but for regex instead of a JSON schema. Version 0.9.0 fixes the issue.
A denial of service flaw was found in vLLM. This flaw allows a remote attacker with access to the /v1/completions endpoint to submit an invalid json_schema as a guided param, which will crash the vLLM instance.
Statement: The severity of this vulnerability is rated Moderate, as it does not impact system availability. The effects are confined to the application layer, without compromisi
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-05-30
Published