cvedb.io
CVE-2025-71379
MEDIUM · CVSS 4.3
EPSS exploitation probability: 0%
Published 2026-06-20T19:16:23.410 · Last modified 2026-06-26T20:25:13.760

Summary

vLLM versions >= 0.6.3 and < 0.9.0 contain multiple regular expression denial of service (ReDoS) vulnerabilities. Several regex patterns — in vllm/lora/utils.py, the phi4mini tool parser, and the OpenAI-compatible serving chat endpoint — are susceptible to catastrophic backtracking. An attacker submitting crafted input with nested or repeated structures can trigger severe CPU consumption and performance degradation, resulting in denial of service.

Affected products

vllm — vllm

Does this affect you?

Add your gear to cvedb and we'll alert you only when vllm ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.