6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-32381

GHSA ID

GHSA-389x-67px-mjg3

EPSS Score

0.17447%

CWE

CWE-770

Published

4/9/2025

Updated

4/9/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-32381

CVE-2025-32381: xgrammar Vulnerable to Denial of Service (DoS) by abusing unbounded cache in memory

Summary

Xgrammar includes a cache for compiled grammars to increase performance with repeated use of the same grammar. This cache is held in memory. Since the cache is unbounded, a system making use of xgrammar can be abused to fill up a host's memory and case a denial of service. For example, sending many small requests to an LLM inference server with unique JSON schemas would eventually cause this denial of service to occur.

Details

The fix is to add a limit to the cache size. This was done in https://github.com/mlc-ai/xgrammar/pull/243

An example of making use of the new cache size limit can be found in vLLM here: https://github.com/vllm-project/vllm/pull/16283

Impact

Any system making use of Xgrammar and taking requests as input from potentially untrusted parties would be vulnerable to this denial of service issue.

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-32381

GHSA ID

GHSA-389x-67px-mjg3

EPSS Score

0.17447%

CWE

CWE-770

Published

4/9/2025

Updated

4/9/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
xgrammar	pip	< 0.1.18	0.1.18

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is an unbounded cache in xgrammar. The provided patch information from commit ef8d18d653366ea7eff736ac38918af32acf4728 (part of PR #243 which fixes the issue) modifies cpp/support/thread_safe_cache.h. Specifically, it shows changes to the ThreadSafeCacheSized2::GetFuture method. This method is responsible for fetching items from the cache or, if not present, computing them and adding them to the cache. The core of the vulnerability lies in the step where new items are added to the cache's underlying storage (an std::unordered_map) without checking if the cache has exceeded a size limit. The line auto [it, success] = map.try_emplace(key); within GetFuture (or its equivalent in the vulnerable code) is where this insertion happens. The class ThreadSafeCacheSized2 and the commit message suggest this is the fixed, size-aware version. Therefore, the vulnerable function is the logical predecessor or the unfixed version of this GetFuture method, which performed the cache insertion without bounds checking, leading to the DoS.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry X*r*mm*r in*lu**s * ***** *or *ompil** *r*mm*rs to in*r**s* p*r*orm*n** wit* r*p**t** us* o* t** s*m* *r*mm*r. T*is ***** is **l* in m*mory. Sin** t** ***** is un*oun***, * syst*m m*kin* us* o* x*r*mm*r **n ** **us** to *ill up * *ost's

Reasoning

T** vuln*r**ility is *n un*oun*** ***** in x*r*mm*r. T** provi*** p*t** in*orm*tion *rom *ommit `****************************************` (p*rt o* PR #*** w*i** *ix*s t** issu*) mo*i*i*s `*pp/support/t*r***_s***_*****.*`. Sp**i*i**lly, it s*ows ***n

6.5

Basic Information

Concerned about an active attack path?

CVE-2025-32381: xgrammar Vulnerable to Denial of Service (DoS) by abusing unbounded cache in memory

Summary

Details

Impact

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI