Description
xgrammar is an open-source library for efficient, flexible, and portable structured generation. Prior to version 0.1.32, the multi-level nested syntax caused a segmentation fault (core dumped). This issue has been patched in version 0.1.32.
Published: 2026-03-05
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Upgrade
AI Analysis

Impact

Uncontrolled recursion in xgrammar causes the library to crash via a segmentation fault when parsing multi‑layer nested syntax. The fault results in a core dump and service termination, denying availability to any consuming application. The weakness is identified as CWE‑674, an uncontrolled recursion that can be exploited by supplying maliciously nested input to the parser.

Affected Systems

The vulnerability affects the open‑source xgrammar library produced by mlc‑ai. All versions prior to 0.1.32 are impacted. The issue was addressed in release 0.1.32 and later.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity denial‑of‑service vulnerability. The EPSS score is less than 1 %, implying a very low current probability of exploitation, and the flaw is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker could trigger the fault by supplying deeply nested syntax to the parser, leading to a segmentation fault and service crash.

Generated by OpenCVE AI on April 17, 2026 at 12:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade xgrammar to version 0.1.32 or later.
  • Configure or validate input to enforce a maximum nesting depth before it is passed to the parser.
  • Monitor application logs and system restarts for evidence of crashes and apply the patch promptly.

Generated by OpenCVE AI on April 17, 2026 at 12:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7rgv-gqhr-fxg3 xgrammar vulnerable to DoS via multi-layer nesting
History

Fri, 13 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mlc-ai:xgrammar:*:*:*:*:*:*:*:*

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Mlc-ai
Mlc-ai xgrammar
Vendors & Products Mlc-ai
Mlc-ai xgrammar

Fri, 06 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Important

Thu, 05 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description xgrammar is an open-source library for efficient, flexible, and portable structured generation. Prior to version 0.1.32, the multi-level nested syntax caused a segmentation fault (core dumped). This issue has been patched in version 0.1.32.
Title xgrammar: Multi-layer nesting causes DoS
Weaknesses CWE-674
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Mlc-ai Xgrammar
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-05T16:33:36.678Z

Reserved: 2026-01-28T14:50:47.886Z

Link: CVE-2026-25048

cve-icon Vulnrichment

Updated: 2026-03-05T16:33:33.059Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T16:16:15.853

Modified: 2026-03-13T18:09:38.707

Link: CVE-2026-25048

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-05T15:34:42Z

Links: CVE-2026-25048 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:45:16Z

Weaknesses