vLLM
Moderate fix1 remedy
cpe:2.3:a:vllm:vllm:*:*:*:*:*:*:*
Moderate fix1 remedy
- >= 0.8.0, < 0.9.0
vLLM Denial-of-Service Vulnerability via Invalid JSON Schema in Guided Parameter
Vulnerability
Patched
A denial-of-service vulnerability has been identified in vLLM, an inference and serving engine for large language models. This issue affects vLLM versions 0.8.0 prior to 0.9.0. When the '/v1/completions' API is accessed with an invalid JSON schema as a guided parameter, the vLLM server crashes. The vulnerability arises because the server does not properly handle validation errors from the 'xgrammar' library, leading to an uncaught exception that terminates the server process.
Impact
Exploiting this vulnerability causes the vLLM server to crash, disrupting any ongoing processes or services that rely on the server.
Reproduction
To reproduce this vulnerability, send a request to the '/v1/completions' API with an invalid JSON schema in the 'guided_json' parameter. The server will crash due to an uncaught exception from the 'xgrammar' library, which fails to process the invalid schema.
Remediation
Users can upgrade to vLLM version 0.9.0 or later, where this vulnerability has been fixed.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
2.6impact
2.5exploitability
6.2remediation
7.7relevance
0.1threat
6.4urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.