CVE-2025-48944

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-48944

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-48944.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-48944

Aliases

GHSA-vrq3-r879-7m65

Related

CGA-h4cp-mqqw-m8g3

Published

2025-05-30T18:38:45Z

Modified

2025-10-21T19:33:34Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

vLLM Tool Schema allows DoS via Malformed pattern and type Fields

Details

vLLM is an inference and serving engine for large language models (LLMs). In version 0.8.0 up to but excluding 0.9.0, the vLLM backend used with the /v1/chat/completions OpenAPI endpoint fails to validate unexpected or malformed input in the "pattern" and "type" fields when the tools functionality is invoked. These inputs are not validated before being compiled or parsed, causing a crash of the inference worker with a single request. The worker will remain down until it is restarted. Version 0.9.0 fixes the issue.

Database specific

{
    "cwe_ids": [
        "CWE-20"
    ]
}

References

Affected packages

Git / github.com/vllm-project/vllm

Affected ranges

Type: GIT
Repo: https://github.com/vllm-project/vllm
Events: Introduced

966f933ee1cd7c9a41db60de5c7ff98657005251

Fixed

58738772410c5e0d60b61db39538a9b313d2d7ad