GSA_kwCzR0hTQS05aGNmLXY3bTQtNm0yas4ABIcl

Moderate EPSS: 0.00052% (0.16205 Percentile) EPSS:

Permalink JSON

vLLM allows clients to crash the openai server with invalid regex

Affected Packages	Affected Versions	Fixed Versions
pypi:vllm	>= 0.8.0, < 0.9.0	0.9.0
46 Dependent packages 5 Dependent repositories 3,786,612 Downloads last month Affected Version Ranges All affected versions 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5 All unaffected versions 0.0.1, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.9.0, 0.9.1, 0.9.2, 0.10.0

Impact

A denial of service bug caused the vLLM server to crash if an invalid regex was provided while using structured output. This vulnerability is similar to GHSA-6qc9-v4r8-22xg, but for regex instead of a JSON schema.

Issue with more details: https://github.com/vllm-project/vllm/issues/17313

Patches

https://github.com/vllm-project/vllm/pull/17623

References:

Identifiers

GHSA-9hcf-v7m4-6m2j

CVE-2025-48943

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.00052

EPSS Percentile: 0.16205

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/vllm-project/vllm

Date and time

Published

2 months ago

Updated

about 1 month ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories