CVE-2025-58446
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-06

Last updated on: 2025-09-18

Assigner: GitHub, Inc.

Description
xgrammar is an open-source library for efficient, flexible, and portable structured generation. A grammar optimizer introduced in 0.1.23 processes large grammars (>100k characters) at very low rates, and can be used for DOS of model providers. This issue is fixed in version 0.1.24.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-06
Last Modified
2025-09-18
Generated
2026-06-16
AI Q&A
2025-09-06
EPSS Evaluated
2026-06-15
NVD
CVE-2025-58446
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mlc-ai xgrammar 0.1.23
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a denial of service (DoS) issue in the xgrammar library version 0.1.23. It arises from a regression in the Earley parser and the grammar optimizer that causes extremely slow processing of very large enum grammars (greater than 100,000 characters). Attackers can exploit this inefficiency by submitting large grammars that take minutes to parse, overwhelming the system and causing a denial of service. The problem was fixed in version 0.1.24 by optimizing the grammar optimizer and disabling some slow optimizations for large grammars. [1]

Impact Analysis

If you use the vulnerable xgrammar version 0.1.23, an attacker can exploit this vulnerability to cause denial of service by submitting very large enum grammars that take excessive time to parse. This can overwhelm your system's resources, degrade performance, and potentially make your model services unavailable until the parsing completes or the system recovers. Upgrading to version 0.1.24 mitigates this risk. [1]

Detection Guidance

This vulnerability can be detected by identifying if the xgrammar library version 0.1.23 is used and if it processes very large enum grammars (greater than 100,000 characters). A practical detection method is to test parsing of a large JSON schema with a large enum (e.g., 10,000 entries) and observe if the parsing takes an unusually long time (minutes). There is a proof of concept (PoC) that generates such a large enum schema and tests parsing performance. Specific commands would involve running the PoC code snippet that creates and parses the large enum schema using xgrammar 0.1.23 and measuring the processing time to detect the vulnerability. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade the xgrammar library to version 0.1.24 or later, where the vulnerability is fixed by optimizing the grammar optimizer and disabling slow optimizations for large grammars. Until the upgrade is applied, avoid processing very large enum grammars (>100k characters) to prevent denial of service. Additionally, monitoring and limiting input grammar sizes can help reduce exposure. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-58446. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart