CVE-2026-25048
Segmentation Fault in xgrammar Library via Nested Syntax Parsing
Publication date: 2026-03-05
Last updated on: 2026-03-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mlc-ai | xgrammar | to 0.1.32 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-674 | The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25048 is a denial-of-service (DoS) vulnerability in the Python package xgrammar version 0.1.31. It occurs due to multi-layer nested syntax causing a segmentation fault (core dumped). Specifically, when a malicious grammar rule is constructed with extremely deep nestingβsuch as 30,000 layers of nested parenthesesβit leads to uncontrolled recursion resulting in stack overflow or memory exhaustion.
This vulnerability causes the xgrammar compiler to crash during grammar compilation or processing, as it fails to limit recursion depth. The issue was fixed in version 0.1.32.
How can this vulnerability impact me? :
This vulnerability can cause a denial-of-service condition by crashing the application using the xgrammar library. An attacker can exploit it by providing a malicious grammar with extremely deep nested syntax, leading to excessive stack or memory consumption and ultimately causing the application to fail.
Such crashes can disrupt service availability, potentially impacting systems relying on xgrammar for structured generation or processing.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to compile or process a grammar rule with extremely deep nesting, such as 30,000 layers of nested parentheses, which triggers a segmentation fault (core dumped) due to stack overflow or memory exhaustion.
A proof-of-concept script exists that defines such a deeply nested grammar rule and causes the xgrammar compiler to crash during grammar compilation or processing.
To detect the vulnerability on your system, you can run a test using a similar script that attempts to compile a grammar with very deep nesting and observe if the application crashes or produces a segmentation fault.
No specific network commands are provided, but monitoring for crashes or core dumps related to xgrammar during grammar compilation or generation is recommended.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the xgrammar library to version 0.1.32 or later, where this vulnerability has been patched.
Avoid processing or compiling grammar rules with extremely deep nesting until the upgrade is applied.