CVE-2025-71379
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk24th percentile — higher than 24% of all known CVEs
Summary
ReDoS vulnerability in vLLM versions 0.6.3 through 0.9.0. Regular expression patterns in several components (vllm/lora/utils.py, phi4mini parser, OpenAI chat endpoint) are susceptible to catastrophic backtracking, allowing an attacker to cause CPU exhaustion and performance degradation.
Risk Assessment
An attacker can submit crafted input with nested or repeated structures, causing severe CPU consumption and performance degradation, leading to denial of service (DoS).
Recommendation
It is recommended to upgrade vLLM to version 0.9.0 or later, which includes fixes for these ReDoS vulnerabilities.
Original NVD description (English source)
vLLM versions >= 0.6.3 and < 0.9.0 contain multiple regular expression denial of service (ReDoS) vulnerabilities. Several regex patterns — in vllm/lora/utils.py, the phi4mini tool parser, and the OpenAI-compatible serving chat endpoint — are susceptible to catastrophic backtracking. An attacker submitting crafted input with nested or repeated structures can trigger severe CPU consumption and performance degradation, resulting in denial of service.

