Regular Expression Denial of Service in vLLM by vLLM Project
CVE-2025-71379

5.3MEDIUM

Key Information:

Vendor: Vllm
Status: Vllm
Vendor: CVE Published:; 20 June 2026

What is CVE-2025-71379?

Certain versions of vLLM, specifically those ranging from 0.6.3 to 0.8.9, have been identified as susceptible to multiple regular expression denial of service vulnerabilities. Key components like vllm/lora/utils.py, the phi4mini tool parser, and the OpenAI-compatible serving chat endpoint utilize regex patterns that are prone to catastrophic backtracking. An attacker can exploit these regex patterns by submitting specially crafted input featuring nested or repeated structures. This can lead to excessive CPU resource draining and significant performance degradation, rendering the affected system unable to provide service.

Affected Version(s)

vllm 0.6.3 < 0.9.0

vllm 0.9.0

References

https://github.com/vllm-project/vllm/security/advisories/...

vendor-advisory

https://www.vulncheck.com/advisories/vllm-regular-express...

third-party-advisory

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 20, 2026
Vulnerability Reserved
Jun 20, 2026

Credit

kexinoh

russellb

mgoin

CVE-2025-71379 Data

JSON

Vllm

What is CVE-2025-71379?

Affected Version(s)

References

CVSS V4

Timeline

Credit