VDB

CVE-2025-48944

CVE-2025-48944 PUBLISHED CVSS 6.5 MEDIUM

vLLM is an inference and serving engine for large language models (LLMs). In version 0.8.0 up to but excluding 0.9.0, the vLLM backend used with the /v1/chat/completions OpenAPI endpoint fails to validate unexpected or malformed input in the "pattern" and "type" fields when the tools functionality is invoked. These inputs are not validated before being compiled or parsed, causing a crash of the inference worker with a single request. The worker will remain down until it is restarted. Version 0.9.0 fixes the issue.

EPSS 0.32% · 55.1th percentile

Risk Scores

CVSS v3.1
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS Score
0.32%
55.1th percentile

Affected Products

VendorProductVersions
PyPIvllm0.8.0
vllm-projectvllm>= 0.8.0, < 0.9.0
vllmvllm0.8.0

Timeline

  • Jan 21, 1970 Security Advisory
  • May 28, 2025 CVE Published
  • May 30, 2025 CVE Updated
  • May 30, 2025 PoC Published
  • May 30, 2025 PoC Published
  • May 31, 2025 EPSS Score
  • Jun 11, 2025 EPSS Score
  • Jun 15, 2025 Coalition ESS Score
  • Jun 22, 2025 EPSS Score
  • Jul 1, 2025 Coalition ESS Score
  • Jul 2, 2025 EPSS Score
  • Jul 13, 2025 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›