CVE-2025-71379
Analyzed Analyzed - Analysis Complete

vLLM ReDoS Vulnerabilities in Regex Parsing

Vulnerability report for CVE-2025-71379, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-20

Last updated on: 2026-06-26

Assigner: VulnCheck

Description

vLLM versions >= 0.6.3 and < 0.9.0 contain multiple regular expression denial of service (ReDoS) vulnerabilities. Several regex patterns β€” in vllm/lora/utils.py, the phi4mini tool parser, and the OpenAI-compatible serving chat endpoint β€” are susceptible to catastrophic backtracking. An attacker submitting crafted input with nested or repeated structures can trigger severe CPU consumption and performance degradation, resulting in denial of service.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-20
Last Modified
2026-06-26
Generated
2026-07-11
AI Q&A
2026-06-20
EPSS Evaluated
2026-07-09
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
vllm vllm From 0.6.3 (inc) to 0.9.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1333 The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2025-71379 is a set of multiple Regular Expression Denial of Service (ReDoS) vulnerabilities found in vLLM versions 0.6.3 to 0.9.0.

These vulnerabilities arise from poorly constructed regular expressions in several components, including vllm/lora/utils.py, the phi4mini tool parser, and the OpenAI-compatible serving chat endpoint.

An attacker can submit specially crafted input containing nested or repeated structures that cause catastrophic backtracking in these regex patterns.

This leads to excessive CPU consumption and severe performance degradation, which can result in denial of service by making the system unresponsive or causing it to crash.

Impact Analysis

The primary impact of this vulnerability is on system availability.

By exploiting the ReDoS vulnerabilities, an attacker can cause severe CPU resource exhaustion and performance degradation.

This can lead to denial of service conditions where the affected system becomes unresponsive or crashes.

The attack requires low complexity and low privileges and can be performed remotely over the network without user interaction.

There is no impact on confidentiality or integrity, but availability is significantly affected.

Detection Guidance

This vulnerability can be detected by monitoring for unusually high CPU usage or severe performance degradation when processing inputs to the affected vLLM components, especially those involving regex operations in vllm/lora/utils.py, the phi4mini tool parser, and the OpenAI-compatible serving chat endpoint.

To detect potential exploitation attempts, you can look for processes consuming excessive CPU resources or hanging when handling inputs with nested or repeated structures.

Suggested commands to help detect this include:

  • Use system monitoring tools like `top` or `htop` to identify high CPU usage by vLLM processes.
  • Use `strace` or similar tools to trace system calls of the vLLM process to identify hangs or delays.
  • Check logs for unusually long processing times or errors related to regex parsing.
  • If you have access to the source or runtime environment, test the vulnerable regex patterns with crafted inputs such as nested parentheses or brackets (e.g., `((((a|)+)+)+)`) to observe performance impact.
Mitigation Strategies

Immediate mitigation steps include:

  • Upgrade vLLM to version 0.9.0 or later, where these ReDoS vulnerabilities have been patched.
  • Limit the length and complexity of input strings processed by the affected components to reduce the risk of triggering catastrophic backtracking.
  • Replace vulnerable regex patterns with safer, non-recursive matching approaches or use structured parsing methods such as JSON parsers instead of regex for complex data.
  • Monitor system performance and resource usage to detect and respond to potential exploitation attempts promptly.
Compliance Impact

The vulnerability described is a Regular Expression Denial of Service (ReDoS) affecting availability by causing severe CPU consumption and performance degradation. It does not impact confidentiality or integrity of data.

Since the vulnerability primarily affects system availability and does not lead to unauthorized access or data leakage, its direct impact on compliance with standards like GDPR or HIPAAβ€”which focus heavily on data confidentiality and integrityβ€”is limited.

However, prolonged denial of service could indirectly affect compliance by disrupting availability requirements or service continuity obligations under certain regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-71379. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart