CVE-2025-58446: 
Python vulnerability analysis and mitigation

CVE-2025-58446 affects xgrammar, an open-source library for efficient, flexible, and portable structured generation. The vulnerability was discovered in version 0.1.23 and was fixed in version 0.1.24. The issue involves a grammar optimizer that processes large grammars (>100k characters) at very low rates, which can be exploited for denial of service attacks against model providers (GitHub Advisory).

The vulnerability stems from a performance regression in the grammar optimizer introduced in version 0.1.23. When processing grammars larger than 100k characters, the optimizer performs significantly slower than expected. The issue is particularly noticeable when handling large enum grammars, where the grammar parsing time exceeds the LLM processing time itself. The vulnerability has been assigned a CVSS v4.0 Base Score of 6.9 (MEDIUM) with the vector string: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N (NVD).

The vulnerability can be exploited to perform denial of service (DOS) attacks against model providers. The affected grammar optimizer processes large grammars at such low rates that it significantly impacts performance, with grammar parsing taking longer than the actual LLM processing. This can effectively bottleneck the system and degrade service quality (GitHub Advisory).

The vulnerability has been fixed in xgrammar version 0.1.24. The fix optimizes the speed of the grammar optimizer and disables certain slow optimizations for large grammars. Users are advised to upgrade to version 0.1.24 or later to address this vulnerability (GitHub Advisory).