CVE-2025-71379
Received Received - Intake
vLLM ReDoS Vulnerabilities in Regex Parsing

Publication date: 2026-06-20

Last updated on: 2026-06-20

Assigner: VulnCheck

Description
vLLM versions >= 0.6.3 and < 0.9.0 contain multiple regular expression denial of service (ReDoS) vulnerabilities. Several regex patterns β€” in vllm/lora/utils.py, the phi4mini tool parser, and the OpenAI-compatible serving chat endpoint β€” are susceptible to catastrophic backtracking. An attacker submitting crafted input with nested or repeated structures can trigger severe CPU consumption and performance degradation, resulting in denial of service.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-20
Last Modified
2026-06-20
Generated
2026-06-20
AI Q&A
2026-06-20
EPSS Evaluated
N/A
NVD
CVE-2025-71379
EUVD
EUVD-2025-210290
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vllm_project vllm From 0.6.3 (inc) to 0.9.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1333 The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-71379 is a set of multiple Regular Expression Denial of Service (ReDoS) vulnerabilities found in vLLM versions 0.6.3 to 0.9.0.

These vulnerabilities arise from poorly constructed regular expressions in several components, including vllm/lora/utils.py, the phi4mini tool parser, and the OpenAI-compatible serving chat endpoint.

An attacker can submit specially crafted input containing nested or repeated structures that cause catastrophic backtracking in these regex patterns.

This leads to excessive CPU consumption and severe performance degradation, which can result in denial of service by making the system unresponsive or causing it to crash.

Impact Analysis

The primary impact of this vulnerability is on system availability.

By exploiting the ReDoS vulnerabilities, an attacker can cause severe CPU resource exhaustion and performance degradation.

This can lead to denial of service conditions where the affected system becomes unresponsive or crashes.

The attack requires low complexity and low privileges and can be performed remotely over the network without user interaction.

There is no impact on confidentiality or integrity, but availability is significantly affected.

Detection Guidance

This vulnerability can be detected by monitoring for unusually high CPU usage or severe performance degradation when processing inputs to the affected vLLM components, especially those involving regex operations in vllm/lora/utils.py, the phi4mini tool parser, and the OpenAI-compatible serving chat endpoint.

To detect potential exploitation attempts, you can look for processes consuming excessive CPU resources or hanging when handling inputs with nested or repeated structures.

Suggested commands to help detect this include:

  • Use system monitoring tools like `top` or `htop` to identify high CPU usage by vLLM processes.
  • Use `strace` or similar tools to trace system calls of the vLLM process to identify hangs or delays.
  • Check logs for unusually long processing times or errors related to regex parsing.
  • If you have access to the source or runtime environment, test the vulnerable regex patterns with crafted inputs such as nested parentheses or brackets (e.g., `((((a|)+)+)+)`) to observe performance impact.
Mitigation Strategies

Immediate mitigation steps include:

  • Upgrade vLLM to version 0.9.0 or later, where these ReDoS vulnerabilities have been patched.
  • Limit the length and complexity of input strings processed by the affected components to reduce the risk of triggering catastrophic backtracking.
  • Replace vulnerable regex patterns with safer, non-recursive matching approaches or use structured parsing methods such as JSON parsers instead of regex for complex data.
  • Monitor system performance and resource usage to detect and respond to potential exploitation attempts promptly.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-71379. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart