CVE Alert: CVE-2025-48887
Vulnerability Summary: CVE-2025-48887
vLLM, an inference and serving engine for large language models (LLMs), has a Regular Expression Denial of Service (ReDoS) vulnerability in the file `vllm/entrypoints/openai/tool_parsers/pythonic_tool_parser.py` of versions 0.6.4 up to but excluding 0.9.0. The root cause is the use of a highly complex and nested regular expression for tool call detection, which can be exploited by an attacker to cause severe performance degradation or make the service unavailable. The pattern contains multiple nested quantifiers, optional groups, and inner repetitions which make it vulnerable to catastrophic backtracking. Version 0.9.0 contains a patch for the issue.
Affected Endpoints:
No affected endpoints listed.
Published Date:
5/30/2025, 6:15:32 PM
⚠️ CVSS Score:
Exploit Status:
Not ExploitedReferences:
- https://github.com/vllm-project/vllm/commit/4fc1bf813ad80172c1db31264beaef7d93fe0601
- https://github.com/vllm-project/vllm/pull/18454
- https://github.com/vllm-project/vllm/security/advisories/GHSA-w6q7-j642-7c25
- https://github.com/vllm-project/vllm/security/advisories/GHSA-w6q7-j642-7c25
Recommended Action:
No proposed action available. Please refer to vendor documentation for updates.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
