cbcvebase.
CVE-2025-48944
published 2025-05-30

CVE-2025-48944: vLLM is an inference and serving engine for large language models (LLMs). In version 0.8.0 up to but excluding 0.9.0, the vLLM backend used with the…

PriorityP434medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
0.45%
35.8th percentile
vLLM is an inference and serving engine for large language models (LLMs). In version 0.8.0 up to but excluding 0.9.0, the vLLM backend used with the /v1/chat/completions OpenAPI endpoint fails to validate unexpected or malformed input in the "pattern" and "type" fields when the tools functionality is invoked. These inputs are not validated before being compiled or parsed, causing a crash of the inference worker with a single request. The worker will remain down until it is restarted. Version 0.9.0 fixes the issue.

Affected

3 ranges
VendorProductVersion rangeFixed in
vllm-projectvllm
vllmvllm>= 0.8.0 < 0.9.00.9.0
vllmvllm>= 0.8.0 < 0.9.00.9.0

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.