PYSEC-2026-2054

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/xgrammar/PYSEC-2026-2054.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2054
Aliases
Published
2026-07-07T16:03:01.881040Z
Modified
2026-07-07T17:48:17.630220471Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
  • 7.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
XGrammar affected by Denial of Service by infinite recursion grammars
Details

Summary

This issue: http://github.com/mlc-ai/xgrammar/issues/250 should have it's own security advisory. Since several tools accept and pass user supplied grammars to xgrammar, and it is so easy to trigger it seems like a High.

References

Affected packages

PyPI / xgrammar

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.1.21

Affected versions

0.*
0.1.0
0.1.1
0.1.2
0.1.3
0.1.4rc2
0.1.4
0.1.5rc1
0.1.5
0.1.6
0.1.7
0.1.8
0.1.9
0.1.10
0.1.11
0.1.12
0.1.13
0.1.14
0.1.15
0.1.16
0.1.17
0.1.18
0.1.19
0.1.20

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/xgrammar/PYSEC-2026-2054.yaml"