Description
vLLM versions >= 0.6.3 and < 0.9.0 contain multiple regular expression denial of service (ReDoS) vulnerabilities. Several regex patterns — in vllm/lora/utils.py, the phi4mini tool parser, and the OpenAI-compatible serving chat endpoint — are susceptible to catastrophic backtracking. An attacker submitting crafted input with nested or repeated structures can trigger severe CPU consumption and performance degradation, resulting in denial of service.
Published: 2026-06-20
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

vLLM versions between 0.6.3 and before 0.9.0 suffer from regular expression denial of service vulnerabilities, where crafted inputs trigger catastrophic backtracking in several regex patterns used in the LORA utilities, the phi4mini parser, and the OpenAI‑compatible chat endpoint. The excessive CPU consumption can cripple the host, causing application slowdown or unresponsiveness. The weakness is a REBASE regex inefficiency flaw (CWE‑1333) that compromises service availability.

Affected Systems

The vulnerability affects the vLLM project’s Python package. All releases from 0.6.3 up to, but not including, 0.9.0 are affected. Users running those versions should verify the installed version against the listed range.

Risk and Exploitability

The CVSS score of 5.3 places this issue in the medium severity range. The EPSS score is unavailable, so the exact exploitation probability cannot be quantified, and the vulnerability is not listed in CISA KEV. Attackers can exploit it remotely through the chat endpoint or by uploading data that is processed by the problematic regex functions; no special authentication is required beyond normal API access. Given the vulnerability’s nature, a determined adversary can trigger the denial of service by sending heavily nested or repetitive input patterns.

Generated by OpenCVE AI on June 20, 2026 at 19:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the vLLM library to version 0.9.0 or later, which contains fixed regex implementations.
  • If upgrading is not immediately possible, implement input rate limiting and size restrictions on the endpoints that use the vulnerable regexes to mitigate CPU exhaustion.
  • Audit and replace the affected regex patterns with non‑catastrophic alternatives, ensuring they do not contain unbounded backtracking paths.

Generated by OpenCVE AI on June 20, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Low


Mon, 22 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 20 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description vLLM versions >= 0.6.3 and < 0.9.0 contain multiple regular expression denial of service (ReDoS) vulnerabilities. Several regex patterns — in vllm/lora/utils.py, the phi4mini tool parser, and the OpenAI-compatible serving chat endpoint — are susceptible to catastrophic backtracking. An attacker submitting crafted input with nested or repeated structures can trigger severe CPU consumption and performance degradation, resulting in denial of service.
Title vllm - Regular Expression Denial of Service in Multiple Components
First Time appeared Vllm
Vllm vllm
Weaknesses CWE-1333
CPEs cpe:2.3:a:vllm:vllm:*:*:*:*:*:*:*:*
Vendors & Products Vllm
Vllm vllm
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-22T18:12:51.944Z

Reserved: 2026-06-20T13:11:44.728Z

Link: CVE-2025-71379

cve-icon Vulnrichment

Updated: 2026-06-22T17:54:23.759Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-20T18:27:09Z

Links: CVE-2025-71379 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T20:00:06Z

Weaknesses
  • CWE-1333

    Inefficient Regular Expression Complexity