Home > Vulnerability Database > CVE-2025-48887

Mend.io Vulnerability Database

CVE-2025-48887

Good to know:

Date: May 30, 2025

vLLM, an inference and serving engine for large language models (LLMs), has a Regular Expression Denial of Service (ReDoS) vulnerability in the file "vllm/entrypoints/openai/tool_parsers/pythonic_tool_parser.py" of versions 0.6.4 up to but excluding 0.9.0. The root cause is the use of a highly complex and nested regular expression for tool call detection, which can be exploited by an attacker to cause severe performance degradation or make the service unavailable. The pattern contains multiple nested quantifiers, optional groups, and inner repetitions which make it vulnerable to catastrophic backtracking. Version 0.9.0 contains a patch for the issue.

Severity Score

6.5

Related Resources (7)

Url: https://github.com/vllm-project/vllm/commit/4fc1bf813ad80172c1db31264beaef7d93fe0601

Url: https://github.com/pypa/advisory-database/tree/main/vulns/vllm/PYSEC-2025-50.yaml

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-48887

Url: https://github.com/vllm-project/vllm/security/advisories/GHSA-w6q7-j642-7c25

Url: https://github.com/vllm-project/vllm/pull/18454

Url: https://github.com/vllm-project/vllm

Url: https://www.mend.io/vulnerability-database/CVE-2025-48887

Severity Score

6.5

Weakness Type (CWE)

Inefficient Regular Expression Complexity

CWE-1333

Top Fix

Upgrade Version

Upgrade to version vllm - 0.9.0

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-48887

Good to know:

Date: May 30, 2025

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?