CVE-2025-71379 | vLLM versions >= 0.6.3 and < 0.9.0 contain multiple regular … | CVSS 4.3 MEDIUM

Description

vLLM versions >= 0.6.3 and < 0.9.0 contain multiple regular expression denial of service (ReDoS) vulnerabilities. Several regex patterns — in vllm/lora/utils.py, the phi4mini tool parser, and the OpenAI-compatible serving chat endpoint — are susceptible to catastrophic backtracking. An attacker submitting crafted input with nested or repeated structures can trigger severe CPU consumption and performance degradation, resulting in denial of service.

Metadata

CVE ID: CVE-2025-71379
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-20 13:11 UTC
Published: 2026-06-20 18:27 UTC
Last updated: 2026-06-20 18:27 UTC
Primary CWE: CWE-1333
Inefficient Regular Expression Complexity
Vendor / Product: vllm / vllm
Sources: cve.org · NVD

Severity & Metrics

4.3 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Affected products (1)

Vendor	Product	Platform	Versions
vllm	vllm	—	0.6.3 < 0.9.0, 0.9.0

Weakness (CWE)

CWE	Source	Description
CWE-1333	cna	Inefficient Regular Expression Complexity

CVSS scores (2)

Score	Severity	Version	Source	Vector
5.3	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
4.3	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

References (2)

GHSA Advisory GHSA-j828-28rj-hfhp https://github.com/vllm-project/vllm/security/advisories/GHSA-j828-28rj-hfhp
VulnCheck Advisory: vllm - Regular Expression Denial of Service in Multiple Components https://www.vulncheck.com/advisories/vllm-regular-expression-denial-of-service-in-multiple-components