Impact
vLLM versions between 0.6.3 and before 0.9.0 suffer from regular expression denial of service vulnerabilities, where crafted inputs trigger catastrophic backtracking in several regex patterns used in the LORA utilities, the phi4mini parser, and the OpenAI‑compatible chat endpoint. The excessive CPU consumption can cripple the host, causing application slowdown or unresponsiveness. The weakness is a REBASE regex inefficiency flaw (CWE‑1333) that compromises service availability.
Affected Systems
The vulnerability affects the vLLM project’s Python package. All releases from 0.6.3 up to, but not including, 0.9.0 are affected. Users running those versions should verify the installed version against the listed range.
Risk and Exploitability
The CVSS score of 5.3 places this issue in the medium severity range. The EPSS score is unavailable, so the exact exploitation probability cannot be quantified, and the vulnerability is not listed in CISA KEV. Attackers can exploit it remotely through the chat endpoint or by uploading data that is processed by the problematic regex functions; no special authentication is required beyond normal API access. Given the vulnerability’s nature, a determined adversary can trigger the denial of service by sending heavily nested or repetitive input patterns.
OpenCVE Enrichment