6.5

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-w6q7-j642-7c25

EPSS Score

CWE

CWE-1333

Published

5/28/2025

Updated

5/28/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-w6q7-j642-7c25

GHSA-w6q7-j642-7c25: vLLM has a Regular Expression Denial of Service (ReDoS, Exponential Complexity) Vulnerability in `pythonic_tool_parser.py`

Summary

A Regular Expression Denial of Service (ReDoS) vulnerability exists in the file vllm/entrypoints/openai/tool_parsers/pythonic_tool_parser.py of the vLLM project. The root cause is the use of a highly complex and nested regular expression for tool call detection, which can be exploited by an attacker to cause severe performance degradation or make the service unavailable.

Details

The following regular expression is used to match tool/function call patterns:

r"\[([a-zA-Z]+\w*\(([a-zA-Z]+\w*=.*,\s*)*([a-zA-Z]+\w*=.*\s)?\),\s*)*([a-zA-Z]+\w*\(([a-zA-Z]+\w*=.*,\s*)*([a-zA-Z]+\w*=.*\s*)?\)\s*)+\]"

This pattern contains multiple nested quantifiers (*, +), optional groups, and inner repetitions which make it vulnerable to catastrophic backtracking.

Attack Example: A malicious input such as

[A(A=	)A(A=,		)A(A=,		)A(A=,		)... (repeated dozens of times) ...]

or

"[A(A=" + "\t)A(A=,\t" * repeat

can cause the regular expression engine to consume CPU exponentially with the input length, effectively freezing or crashing the server (DoS).

Proof of Concept: A Python script demonstrates that matching such a crafted string with the above regex results in exponential time complexity. Even moderate input lengths can bring the system to a halt.

Length: 22, Time: 0.0000 seconds, Match: False
Length: 38, Time: 0.0010 seconds, Match: False
Length: 54, Time: 0.0250 seconds, Match: False
Length: 70, Time: 0.5185 seconds, Match: False
Length: 86, Time: 13.2703 seconds, Match: False
Length: 102, Time: 319.0717 seconds, Match: False

Impact

Denial of Service (DoS): An attacker can trigger a denial of service by sending specially crafted payloads to any API or interface that invokes this regex, causing excessive CPU usage and making the vLLM service unavailable.
Resource Exhaustion and Memory Retention: As this regex is invoked during function call parsing, the matching process may hold on to significant CPU and memory resources for extended periods (due to catastrophic backtracking). In the context of vLLM, this also means that the associated KV cache (used for model inference and typically stored in GPU memory) is not released in a timely manner. This can lead to GPU memory exhaustion, degraded throughput, and service instability.
Potential for Broader System Instability: Resource exhaustion from stuck or slow requests may cascade into broader system instability or service downtime if not mitigated.

Fix

https://github.com/vllm-project/vllm/pull/18454
Note that while this change has significantly improved performance, this regex may still be problematic. It has gone from exponential time complexity, O(2^N), to O(N^2).

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-w6q7-j642-7c25

EPSS Score

CWE

CWE-1333

Published

5/28/2025

Updated

5/28/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
vllm	pip	>= 0.6.4, < 0.9.0	0.9.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a Regular Expression Denial of Service (ReDoS) located in vllm/entrypoints/openai/tool_parsers/pythonic_tool_parser.py. The root cause is a specific complex regular expression, TOOL_CALL_PATTERN, used for parsing tool calls. This pattern, when processed by the standard Python re module, can lead to catastrophic backtracking with certain inputs, causing excessive CPU usage and service denial.

The identified vulnerable function, vllm.entrypoints.openai.tool_parsers.pythonic_tool_parser.PythonicToolParser.parse_tool_calls, directly employs this vulnerable regex. The provided patch (commit 4fc1bf813ad80172c1db31264beaef7d93fe0601) mitigates this by replacing the standard re library with the regex library in pythonic_tool_parser.py (and other files for broader safety). The regex library is designed to handle such complex patterns more efficiently and avoid ReDoS. Therefore, any runtime profile during the exploitation of this specific ReDoS vulnerability would show PythonicToolParser.parse_tool_calls as a key function consuming resources due to the regex matching process.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## Summ*ry * R**ul*r *xpr*ssion **ni*l o* S*rvi** (R**oS) vuln*r**ility *xists in t** *il* [`vllm/*ntrypoints/op*n*i/tool_p*rs*rs/pyt*oni*_tool_p*rs*r.py`](*ttps://*it*u*.*om/vllm-proj**t/vllm/*lo*/m*in/vllm/*ntrypoints/op*n*i/tool_p*rs*rs/pyt*oni*_

Reasoning

T** vuln*r**ility is * R**ul*r *xpr*ssion **ni*l o* S*rvi** (R**oS) lo**t** in `vllm/*ntrypoints/op*n*i/tool_p*rs*rs/pyt*oni*_tool_p*rs*r.py`. T** root **us* is * sp**i*i* *ompl*x r**ul*r *xpr*ssion, `TOOL_**LL_P*TT*RN`, us** *or p*rsin* tool **lls.

6.5

Basic Information

Concerned about an active attack path?

GHSA-w6q7-j642-7c25: vLLM has a Regular Expression Denial of Service (ReDoS, Exponential Complexity) Vulnerability in `pythonic_tool_parser.py`

Summary

Details

Impact

Fix

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI