CVE-2025-48943: 
vLLM vulnerability analysis and mitigation

CVE-2025-48943 is a Denial of Service (DoS) vulnerability discovered in vLLM (an inference and serving engine for large language models) versions 0.8.0 up to but excluding 0.9.0. The vulnerability was disclosed on May 30, 2025, and causes the vLLM server to crash when an invalid regex is provided while using structured output functionality (NVD CVE, GitHub Advisory).

The vulnerability occurs in the structured output functionality when processing invalid regex patterns. When an invalid regex is provided through the API, instead of properly handling the validation error, the server crashes due to an uncaught exception. The issue has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating network accessibility with low attack complexity (NVD CVE).

The vulnerability results in a Denial of Service condition where the vLLM server crashes when processing invalid regex patterns. This affects the availability of the service, potentially disrupting operations for all users of the affected server. The impact is limited to service availability, with no direct effect on confidentiality or integrity of the system (GitHub Advisory).

The vulnerability has been fixed in vLLM version 0.9.0. The fix includes proper validation of grammar and implementation of error handling that returns a 400 error instead of crashing the engine when xgrammar validation fails. Users are advised to upgrade to version 0.9.0 or later (GitHub PR).