CVE-2025-48943

EPSS 0.4%
Veröffentlicht 30.05.2025 18:36:01
Zuletzt bearbeitet 02.06.2025 17:32:17
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

vLLM allows clients to crash the openai server with invalid regex

vLLM is an inference and serving engine for large language models (LLMs). Version 0.8.0 up to but excluding 0.9.0 have a Denial of Service (ReDoS) that causes the vLLM server to crash if an invalid regex was provided while using structured output. This vulnerability is similar to GHSA-6qc9-v4r8-22xg/CVE-2025-48942, but for regex instead of a JSON schema. Version 0.9.0 fixes the issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellervllm-project

≫

Produkt vllm

Version >= 0.8.0, < 0.9.0

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.4%	0.317

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-248 Uncaught Exception

An exception is thrown from a function, but it is not caught.

https://github.com/vllm-project/vllm/pull/17623

https://github.com/vllm-project/vllm/commit/08bf7840780980c7568c573c70a6a8db94fd45ff

https://github.com/vllm-project/vllm/security/advisories/GHSA-9hcf-v7m4-6m2j

https://github.com/vllm-project/vllm/issues/17313

https://nvd.nist.gov/vuln/detail/CVE-2025-48943

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-48943

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-48943

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-48943