GHSA-vfm7-4h43-gp6mMediumCVSS 4.3

vLLM versions >= 0.6.3 and < 0.9.0 contain multiple regular expression denial of service (ReDoS)...

Published
June 20, 2026
Last Modified
June 20, 2026

🔗 CVE IDs covered (1)

📋 Description

vLLM versions >= 0.6.3 and < 0.9.0 contain multiple regular expression denial of service (ReDoS) vulnerabilities. Several regex patterns — in vllm/lora/utils.py, the phi4mini tool parser, and the OpenAI-compatible serving chat endpoint — are susceptible to catastrophic backtracking. An attacker submitting crafted input with nested or repeated structures can trigger severe CPU consumption and performance degradation, resulting in denial of service.

🔗 References (4)