-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
PythonPython| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| xgrammar | pip | < 0.1.21 | 0.1.21 |
Miggo AIRoot Cause AnalysisThe vulnerability is a denial of service caused by uncontrolled recursion when processing grammars with left-recursive rules. The root cause was the use of a recursive descent-like parser (GrammarMatcherBase) which is not capable of handling such grammars. An attacker could craft a malicious grammar that, when compiled or used for matching, would cause the application to enter an infinite loop and crash.
The patch addresses this vulnerability by replacing the entire parsing engine with an Earley parser. The Earley parsing algorithm is well-suited for handling all context-free grammars, including those with left-recursion. The core of the fix is in the new EarleyParser class and its methods, which are now used by GrammarMatcher and GrammarCompiler.
The vulnerable functions identified were the main entry points to the old, vulnerable parsing logic. Any application using xgrammar to process user-supplied grammars would have been at risk. The patch effectively eliminates this vulnerability by using a more robust parsing algorithm.