vllm - Regular Expression Denial of Service in Multiple Components | Advisories

Advisories

vllm - Regular Expression Denial of Service in Multiple Components

severity: medium
date: 6/20/2026
Affecting: vllm >= 0.6.3, < 0.9.0
CVE: CVE-2025-71379
CWE: CWE-1333 Inefficient Regular Expression Complexity
CVSS: 5.3
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
References: GHSA Advisory GHSA-j828-28rj-hfhp
Credit: kexinoh, russellb, mgoin
Description: vLLM versions >= 0.6.3 and < 0.9.0 contain multiple regular expression denial of service (ReDoS) vulnerabilities. Several regex patterns — in vllm/lora/utils.py, the phi4mini tool parser, and the OpenAI-compatible serving chat endpoint — are susceptible to catastrophic backtracking. An attacker submitting crafted input with nested or repeated structures can trigger severe CPU consumption and performance degradation, resulting in denial of service.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo