CVE-2025-57809: 
Python vulnerability analysis and mitigation

XGrammar, an open-source library for efficient, flexible, and portable structured generation, was found to contain an infinite recursion vulnerability (CVE-2025-57809) prior to version 0.1.21. The vulnerability was discovered on August 25, 2025, affecting all versions up to 0.1.20 (GitHub Advisory, NVD).

The vulnerability stems from an infinite recursion issue in the grammar processing within the GrammarMatcherBase::ExpandEquivalentStackElements function, which can lead to unbounded stack growth and eventual segmentation faults. The issue has been assigned a CVSS v4.0 base score of 7.7 (High) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P. The vulnerability is classified as CWE-674 (Uncontrolled Recursion) (NVD, Red Hat).

The vulnerability can be exploited to cause a denial of service condition through process termination or complete resource exhaustion. Since xgrammar is commonly integrated into long-running LLM inference services and API backends, a single crafted grammar can consistently force these services into a denial-of-service state, making it a practical, high-impact attack vector (Red Hat).

The vulnerability has been patched in XGrammar version 0.1.21. Users are advised to upgrade to this version or later to resolve the infinite recursion issue. No alternative workarounds are available for users who cannot immediately upgrade (GitHub Advisory).