CVE Catalog

CVE-2025-71379

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.32%

24th percentile — higher than 24% of all known CVEs

Summary

ReDoS vulnerability in vLLM versions 0.6.3 through 0.9.0. Regular expression patterns in several components (vllm/lora/utils.py, phi4mini parser, OpenAI chat endpoint) are susceptible to catastrophic backtracking, allowing an attacker to cause CPU exhaustion and performance degradation.

Risk Assessment

An attacker can submit crafted input with nested or repeated structures, causing severe CPU consumption and performance degradation, leading to denial of service (DoS).

Recommendation

It is recommended to upgrade vLLM to version 0.9.0 or later, which includes fixes for these ReDoS vulnerabilities.

Original NVD description (English source)

vLLM versions >= 0.6.3 and < 0.9.0 contain multiple regular expression denial of service (ReDoS) vulnerabilities. Several regex patterns — in vllm/lora/utils.py, the phi4mini tool parser, and the OpenAI-compatible serving chat endpoint — are susceptible to catastrophic backtracking. An attacker submitting crafted input with nested or repeated structures can trigger severe CPU consumption and performance degradation, resulting in denial of service.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS