Description

vLLM is an inference and serving engine for large language models (LLMs). Version 0.8.0 up to but excluding 0.9.0 have a Denial of Service (ReDoS) that causes the vLLM server to crash if an invalid regex was provided while using structured output. This vulnerability is similar to GHSA-6qc9-v4r8-22xg/CVE-2025-48942, but for regex instead of a JSON schema. Version 0.9.0 fixes the issue.

INFO

Published Date :

2025-05-30T18:36:01.519Z

Last Modified :

2025-05-30T18:56:18.715Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-48943 vulnerability.

Vendors Products
Vllm
  • Vllm
Vllm-project
  • Vllm
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-48943.

URL Resource
https://github.com/vllm-project/vllm/commit/08bf7840780980c7568c573c70a6a8db94fd45ff cve-icon cve-icon cve-icon
https://github.com/vllm-project/vllm/issues/17313 cve-icon cve-icon cve-icon
https://github.com/vllm-project/vllm/pull/17623 cve-icon cve-icon cve-icon
https://github.com/vllm-project/vllm/security/advisories/GHSA-9hcf-v7m4-6m2j cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-48943 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-48943 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact