CVE-2025-48887

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-48887
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-48887.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-48887
Aliases
Related
Published
2025-05-30T17:36:16Z
Modified
2025-10-16T04:57:01.928854Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
vLLM has a Regular Expression Denial of Service (ReDoS, Exponential Complexity) Vulnerability in `pythonic_tool_parser.py`
Details

vLLM, an inference and serving engine for large language models (LLMs), has a Regular Expression Denial of Service (ReDoS) vulnerability in the file vllm/entrypoints/openai/tool_parsers/pythonic_tool_parser.py of versions 0.6.4 up to but excluding 0.9.0. The root cause is the use of a highly complex and nested regular expression for tool call detection, which can be exploited by an attacker to cause severe performance degradation or make the service unavailable. The pattern contains multiple nested quantifiers, optional groups, and inner repetitions which make it vulnerable to catastrophic backtracking. Version 0.9.0 contains a patch for the issue.

References

Affected packages

Git / github.com/vllm-project/vllm

Affected ranges

Type
GIT
Repo
https://github.com/vllm-project/vllm
Events
Introduced
02dbf30e9a4389b41d95dd595bfe1224592dd404
Fixed
58738772410c5e0d60b61db39538a9b313d2d7ad

Affected versions

v0.*

v0.6.4
v0.6.4.post1
v0.6.5
v0.6.6
v0.6.6.post1
v0.7.0
v0.7.1
v0.7.2
v0.7.3
v0.8.0rc1
v0.8.0rc2
v0.8.1
v0.8.2
v0.8.3rc1
v0.8.4