GHSA-vfm7-4h43-gp6mMediumCVSS 4.3
vLLM versions >= 0.6.3 and < 0.9.0 contain multiple regular expression denial of service (ReDoS)...
🔗 CVE IDs covered (1)
📋 Description
vLLM versions >= 0.6.3 and < 0.9.0 contain multiple regular expression denial of service (ReDoS) vulnerabilities. Several regex patterns — in vllm/lora/utils.py, the phi4mini tool parser, and the OpenAI-compatible serving chat endpoint — are susceptible to catastrophic backtracking. An attacker submitting crafted input with nested or repeated structures can trigger severe CPU consumption and performance degradation, resulting in denial of service.