CVE-2026-55574
Received Received - Intake

ReDoS Vulnerability in vLLM Prior to 0.24.0

Vulnerability report for CVE-2026-55574, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: GitHub, Inc.

Description

vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Prior to 0.24.0, the structured_outputs.regex API parameter passes a user-supplied regular expression string directly to the grammar compiler backends with no compilation timeout; in the xgrammar backend the string reaches the regex compiler with no guard, and in the outlines backend the validation step blocks structural issues such as lookarounds and backreferences but performs no complexity analysis, so a pattern with nested quantifiers passes all checks and causes exponential state-space expansion, allowing a single request containing an adversarial regex to hang an inference worker indefinitely and deny service. This issue is fixed in version 0.24.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1333 The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in vLLM versions prior to 0.24.0 in the structured_outputs.regex API parameter. This parameter accepts a user-supplied regular expression string and passes it directly to the grammar compiler backends without any compilation timeout or complexity checks. Specifically, in the xgrammar backend, the regex string is compiled with no guard, and in the outlines backend, although some structural issues are blocked, complex patterns with nested quantifiers are not analyzed for complexity. This allows an adversarial regex pattern to cause exponential state-space expansion, which can hang an inference worker indefinitely and result in a denial of service.

Impact Analysis

This vulnerability can cause a denial of service by allowing a specially crafted regular expression to hang an inference worker indefinitely. This means that a single malicious request can exhaust system resources, making the service unavailable to legitimate users and potentially disrupting operations that rely on the vLLM inference engine.

Mitigation Strategies

To mitigate this vulnerability, upgrade vLLM to version 0.24.0 or later, where the issue with the structured_outputs.regex API parameter has been fixed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55574. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart