vllm – Regular Expression Denial of Service in Multiple Components

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Description

vLLM versions >= 0.6.3 and < 0.9.0 contain multiple regular expression denial of service (ReDoS) vulnerabilities. Several regex patterns — in vllm/lora/utils.py, the phi4mini tool parser, and the OpenAI-compatible serving chat endpoint — are susceptible to catastrophic backtracking. An attacker submitting crafted input with nested or repeated structures can trigger severe CPU consumption and performance degradation, resulting in denial of service.

Basic Information

ID CVE-2025-71379

Source VulnCheck

Published Jun 20, 2026 at 18:27

Affected Product

Vendor vllm

Product vllm

Version 0.6.3

Affected Versions vllm vllm 0.6.3

CWE Classification

CWE-1333

References

{
    "lastseen": "",
    "description": "vLLM versions >= 0.6.3 and < 0.9.0 contain multiple regular expression denial of service (ReDoS) vulnerabilities. Several regex patterns \u2014 in vllm/lora/utils.py, the phi4mini tool parser, and the OpenAI-compatible serving chat endpoint \u2014 are susceptible to catastrophic backtracking. An attacker submitting crafted input with nested or repeated structures can trigger severe CPU consumption and performance degradation, resulting in denial of service.",
    "published": "2026-06-20T18:27:09.485Z",
    "modified": "2026-06-20T18:27:09.485Z",
    "type": "cve",
    "title": "vllm - Regular Expression Denial of Service in Multiple Components",
    "source": "VulnCheck",
    "references": "https://github.com/vllm-project/vllm/security/advisories/GHSA-j828-28rj-hfhp\nhttps://www.vulncheck.com/advisories/vllm-regular-expression-denial-of-service-in-multiple-components",
    "id": "CVE-2025-71379",
    "bulletinFamily": "",
    "cwe": [
        "CWE-1333"
    ],
    "cvelist": null,
    "sourceData": "vllm vllm 0.6.3",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "vllm",
    "version": "0.6.3",
    "vendor": "vllm",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

vllm – Regular Expression Denial of Service in Multiple Components_CVE-2025-71379