CVE-2025-58446: 
Python vulnerability analysis and mitigation

CVE-2025-58446 affects xgrammar, an open-source library for efficient, flexible, and portable structured generation. The vulnerability was discovered on September 6, 2025, and affects version 0.1.23 of the library. The issue involves a grammar optimizer that processes large grammars (>100,000 characters) at very low rates, which can be exploited for denial of service attacks against model providers (GitHub Advisory, NVD).

The vulnerability exists in the grammar optimizer component introduced in version 0.1.23. When processing large grammars exceeding 100,000 characters, the optimizer performs at extremely low rates, leading to processing delays. The issue has a CVSS v3.1 base score of 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a network-accessible vulnerability requiring no privileges or user interaction (NVD, Red Hat).

The vulnerability can be exploited to cause a Denial of Service (DoS) condition by submitting specially crafted, large grammars for processing. This leads to excessive CPU consumption and prolonged processing delays, potentially impacting the availability of model provider services. The processing time for affected grammars can exceed the LLM processing time itself (GitHub Advisory, Red Hat).

The vulnerability has been fixed in xgrammar version 0.1.24. The patch optimizes the speed of the grammar optimizer and disables certain slow optimization routines when processing very large grammars, preventing the excessive processing time that leads to the DoS condition (GitHub Advisory, GitHub Commit).