6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-29770

GHSA ID

GHSA-mgrm-fgjv-mhv8

EPSS Score

0.21065%

CWE

CWE-770

Published

3/19/2025

Updated

3/20/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-29770

CVE-2025-29770: vLLM denial of service via outlines unbounded cache on disk

Impact

The outlines library is one of the backends used by vLLM to support structured output (a.k.a. guided decoding). Outlines provides an optional cache for its compiled grammars on the local filesystem. This cache has been on by default in vLLM. Outlines is also available by default through the OpenAI compatible API server.

The affected code in vLLM is vllm/model_executor/guided_decoding/outlines_logits_processors.py, which unconditionally uses the cache from outlines. vLLM should have this off by default and allow administrators to opt-in due to the potential for abuse.

A malicious user can send a stream of very short decoding requests with unique schemas, resulting in an addition to the cache for each request. This can result in a Denial of Service if the filesystem runs out of space.

Note that even if vLLM was configured to use a different backend by default, it is still possible to choose outlines on a per-request basis using the guided_decoding_backend key of the extra_body field of the request.

This issue applies to the V0 engine only. The V1 engine is not affected.

Patches

https://github.com/vllm-project/vllm/pull/14837

The fix is to disable this cache by default since it does not provide an option to limit its size. If you want to use this cache anyway, you may set the VLLM_V0_USE_OUTLINES_CACHE environment variable to 1.

Workarounds

There is no way to workaround this issue in existing versions of vLLM other than preventing untrusted access to the OpenAI compatible API server.

References

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-29770

GHSA ID

GHSA-mgrm-fgjv-mhv8

EPSS Score

0.21065%

CWE

CWE-770

Published

3/19/2025

Updated

3/20/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
vllm	pip

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from outlines' cache being enabled by default through the @cache decorator applied to these class methods. These methods compile and cache grammar specifications (regex/CFG) to disk. As they lack size limits or cleanup mechanisms, repeated calls with unique schemas (via malicious requests) would accumulate cached files until disk space is exhausted. The patch addressed this by making caching opt-in via environment variable rather than default behavior.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** [outlin*s](*ttps://*ottxt-*i.*it*u*.io/outlin*s/l*t*st/) li*r*ry is on* o* t** ***k*n*s us** *y vLLM to support stru*tur** output (*.k.*. *ui*** ***o*in*). Outlin*s provi**s *n option*l ***** *or its *ompil** *r*mm*rs on t** lo**l *il*

Reasoning

T** vuln*r**ility st*ms *rom outlin*s' ***** **in* *n**l** *y ****ult t*rou** t** `@*****` ***or*tor *ppli** to t**s* *l*ss m*t*o*s. T**s* m*t*o*s *ompil* *n* ***** *r*mm*r sp**i*i**tions (r***x/***) to *isk. *s t**y l**k siz* limits or *l**nup m****

6.5

Basic Information

Concerned about an active attack path?

CVE-2025-29770: vLLM denial of service via outlines unbounded cache on disk

Impact

Patches

Workarounds

References

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI