GHSA-9hcf-v7m4-6m2j
Suggest an improvement- Source
- https://github.com/advisories/GHSA-9hcf-v7m4-6m2j
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-9hcf-v7m4-6m2j/GHSA-9hcf-v7m4-6m2j.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-9hcf-v7m4-6m2j
- Aliases
- Published
- 2025-05-28T19:42:12Z
- Modified
- 2025-05-30T21:48:21.237738Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- vLLM allows clients to crash the openai server with invalid regex
- Details
-
Impact
A denial of service bug caused the vLLM server to crash if an invalid regex was provided while using structured output. This vulnerability is similar to GHSA-6qc9-v4r8-22xg, but for regex instead of a JSON schema.
Issue with more details: https://github.com/vllm-project/vllm/issues/17313
Patches
- https://github.com/vllm-project/vllm/pull/17623
- Database specific
{ "nvd_published_at": "2025-05-30T19:15:30Z", "cwe_ids": [ "CWE-248" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2025-05-28T19:42:12Z" }- References
-
- https://github.com/vllm-project/vllm/security/advisories/GHSA-9hcf-v7m4-6m2j
- https://nvd.nist.gov/vuln/detail/CVE-2025-48943
- https://github.com/vllm-project/vllm/issues/17313
- https://github.com/vllm-project/vllm/pull/17623
- https://github.com/vllm-project/vllm/commit/08bf7840780980c7568c573c70a6a8db94fd45ff
- https://github.com/vllm-project/vllm
Affected packages
PyPI / vllm
Package
- Name
- vllm
- View open source insights on deps.dev
- Purl
- pkg:pypi/vllm