{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37074?format=json","vulnerability_id":"VCID-ugds-eqgw-fbbz","summary":"vLLM, an inference and serving engine for large language models (LLMs), has a Regular Expression Denial of Service (ReDoS) vulnerability in the file `vllm/entrypoints/openai/tool_parsers/pythonic_tool_parser.py` of versions 0.6.4 up to but excluding 0.9.0. The root cause is the use of a highly complex and nested regular expression for tool call detection, which can be exploited by an attacker to cause severe performance degradation or make the service unavailable. The pattern contains multiple nested quantifiers, optional groups, and inner repetitions which make it vulnerable to catastrophic backtracking. Version 0.9.0 contains a patch for the issue.","aliases":[{"alias":"CVE-2025-48887"},{"alias":"PYSEC-2025-50"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/45283?format=json","purl":"pkg:pypi/vllm@0.9.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-nctw-rz8h-f3af"},{"vulnerability":"VCID-za3a-c9m1-jqgz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vllm@0.9.0"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/44380?format=json","purl":"pkg:pypi/vllm@0.6.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-737m-tpkz-qffm"},{"vulnerability":"VCID-e8w2-9rwg-u7ba"},{"vulnerability":"VCID-k1qz-xe9c-2bg3"},{"vulnerability":"VCID-nctw-rz8h-f3af"},{"vulnerability":"VCID-svzy-7pke-2bdr"},{"vulnerability":"VCID-ugds-eqgw-fbbz"},{"vulnerability":"VCID-w9kt-yaqy-47fb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vllm@0.6.4"},{"url":"http://public2.vulnerablecode.io/api/packages/44381?format=json","purl":"pkg:pypi/vllm@0.6.4.post1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-737m-tpkz-qffm"},{"vulnerability":"VCID-e8w2-9rwg-u7ba"},{"vulnerability":"VCID-k1qz-xe9c-2bg3"},{"vulnerability":"VCID-nctw-rz8h-f3af"},{"vulnerability":"VCID-svzy-7pke-2bdr"},{"vulnerability":"VCID-ugds-eqgw-fbbz"},{"vulnerability":"VCID-w9kt-yaqy-47fb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vllm@0.6.4.post1"},{"url":"http://public2.vulnerablecode.io/api/packages/44382?format=json","purl":"pkg:pypi/vllm@0.6.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-737m-tpkz-qffm"},{"vulnerability":"VCID-e8w2-9rwg-u7ba"},{"vulnerability":"VCID-fxgs-s1vm-8bez"},{"vulnerability":"VCID-k1qz-xe9c-2bg3"},{"vulnerability":"VCID-nctw-rz8h-f3af"},{"vulnerability":"VCID-svzy-7pke-2bdr"},{"vulnerability":"VCID-u659-sd9h-tkf3"},{"vulnerability":"VCID-ugds-eqgw-fbbz"},{"vulnerability":"VCID-w9kt-yaqy-47fb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vllm@0.6.5"},{"url":"http://public2.vulnerablecode.io/api/packages/44383?format=json","purl":"pkg:pypi/vllm@0.6.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-737m-tpkz-qffm"},{"vulnerability":"VCID-e8w2-9rwg-u7ba"},{"vulnerability":"VCID-fxgs-s1vm-8bez"},{"vulnerability":"VCID-k1qz-xe9c-2bg3"},{"vulnerability":"VCID-nctw-rz8h-f3af"},{"vulnerability":"VCID-svzy-7pke-2bdr"},{"vulnerability":"VCID-u659-sd9h-tkf3"},{"vulnerability":"VCID-ugds-eqgw-fbbz"},{"vulnerability":"VCID-w9kt-yaqy-47fb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vllm@0.6.6"},{"url":"http://public2.vulnerablecode.io/api/packages/44384?format=json","purl":"pkg:pypi/vllm@0.6.6.post1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-737m-tpkz-qffm"},{"vulnerability":"VCID-e8w2-9rwg-u7ba"},{"vulnerability":"VCID-fxgs-s1vm-8bez"},{"vulnerability":"VCID-k1qz-xe9c-2bg3"},{"vulnerability":"VCID-nctw-rz8h-f3af"},{"vulnerability":"VCID-svzy-7pke-2bdr"},{"vulnerability":"VCID-u659-sd9h-tkf3"},{"vulnerability":"VCID-ugds-eqgw-fbbz"},{"vulnerability":"VCID-w9kt-yaqy-47fb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vllm@0.6.6.post1"},{"url":"http://public2.vulnerablecode.io/api/packages/44385?format=json","purl":"pkg:pypi/vllm@0.7.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-737m-tpkz-qffm"},{"vulnerability":"VCID-e8w2-9rwg-u7ba"},{"vulnerability":"VCID-fxgs-s1vm-8bez"},{"vulnerability":"VCID-k1qz-xe9c-2bg3"},{"vulnerability":"VCID-nctw-rz8h-f3af"},{"vulnerability":"VCID-svzy-7pke-2bdr"},{"vulnerability":"VCID-u659-sd9h-tkf3"},{"vulnerability":"VCID-ugds-eqgw-fbbz"},{"vulnerability":"VCID-za3a-c9m1-jqgz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vllm@0.7.0"},{"url":"http://public2.vulnerablecode.io/api/packages/44389?format=json","purl":"pkg:pypi/vllm@0.7.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-737m-tpkz-qffm"},{"vulnerability":"VCID-e8w2-9rwg-u7ba"},{"vulnerability":"VCID-fxgs-s1vm-8bez"},{"vulnerability":"VCID-k1qz-xe9c-2bg3"},{"vulnerability":"VCID-nctw-rz8h-f3af"},{"vulnerability":"VCID-svzy-7pke-2bdr"},{"vulnerability":"VCID-u659-sd9h-tkf3"},{"vulnerability":"VCID-ugds-eqgw-fbbz"},{"vulnerability":"VCID-za3a-c9m1-jqgz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vllm@0.7.1"},{"url":"http://public2.vulnerablecode.io/api/packages/44390?format=json","purl":"pkg:pypi/vllm@0.7.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-e8w2-9rwg-u7ba"},{"vulnerability":"VCID-fxgs-s1vm-8bez"},{"vulnerability":"VCID-k1qz-xe9c-2bg3"},{"vulnerability":"VCID-nctw-rz8h-f3af"},{"vulnerability":"VCID-svzy-7pke-2bdr"},{"vulnerability":"VCID-u659-sd9h-tkf3"},{"vulnerability":"VCID-ugds-eqgw-fbbz"},{"vulnerability":"VCID-za3a-c9m1-jqgz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vllm@0.7.2"},{"url":"http://public2.vulnerablecode.io/api/packages/44633?format=json","purl":"pkg:pypi/vllm@0.7.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-e8w2-9rwg-u7ba"},{"vulnerability":"VCID-fxgs-s1vm-8bez"},{"vulnerability":"VCID-k1qz-xe9c-2bg3"},{"vulnerability":"VCID-nctw-rz8h-f3af"},{"vulnerability":"VCID-svzy-7pke-2bdr"},{"vulnerability":"VCID-u659-sd9h-tkf3"},{"vulnerability":"VCID-ugds-eqgw-fbbz"},{"vulnerability":"VCID-za3a-c9m1-jqgz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vllm@0.7.3"},{"url":"http://public2.vulnerablecode.io/api/packages/44634?format=json","purl":"pkg:pypi/vllm@0.8.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ec1-1h6d-tuaq"},{"vulnerability":"VCID-e8w2-9rwg-u7ba"},{"vulnerability":"VCID-fxgs-s1vm-8bez"},{"vulnerability":"VCID-nctw-rz8h-f3af"},{"vulnerability":"VCID-qake-z4ec-wkdu"},{"vulnerability":"VCID-svzy-7pke-2bdr"},{"vulnerability":"VCID-ugds-eqgw-fbbz"},{"vulnerability":"VCID-za3a-c9m1-jqgz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vllm@0.8.0"},{"url":"http://public2.vulnerablecode.io/api/packages/45029?format=json","purl":"pkg:pypi/vllm@0.8.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ec1-1h6d-tuaq"},{"vulnerability":"VCID-e8w2-9rwg-u7ba"},{"vulnerability":"VCID-fxgs-s1vm-8bez"},{"vulnerability":"VCID-nctw-rz8h-f3af"},{"vulnerability":"VCID-qake-z4ec-wkdu"},{"vulnerability":"VCID-svzy-7pke-2bdr"},{"vulnerability":"VCID-ugds-eqgw-fbbz"},{"vulnerability":"VCID-za3a-c9m1-jqgz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vllm@0.8.1"},{"url":"http://public2.vulnerablecode.io/api/packages/45030?format=json","purl":"pkg:pypi/vllm@0.8.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ec1-1h6d-tuaq"},{"vulnerability":"VCID-e8w2-9rwg-u7ba"},{"vulnerability":"VCID-fxgs-s1vm-8bez"},{"vulnerability":"VCID-nctw-rz8h-f3af"},{"vulnerability":"VCID-qake-z4ec-wkdu"},{"vulnerability":"VCID-svzy-7pke-2bdr"},{"vulnerability":"VCID-ugds-eqgw-fbbz"},{"vulnerability":"VCID-za3a-c9m1-jqgz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vllm@0.8.2"},{"url":"http://public2.vulnerablecode.io/api/packages/45031?format=json","purl":"pkg:pypi/vllm@0.8.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ec1-1h6d-tuaq"},{"vulnerability":"VCID-e8w2-9rwg-u7ba"},{"vulnerability":"VCID-fxgs-s1vm-8bez"},{"vulnerability":"VCID-nctw-rz8h-f3af"},{"vulnerability":"VCID-q8jt-32dy-w7cp"},{"vulnerability":"VCID-qake-z4ec-wkdu"},{"vulnerability":"VCID-svzy-7pke-2bdr"},{"vulnerability":"VCID-ugds-eqgw-fbbz"},{"vulnerability":"VCID-za3a-c9m1-jqgz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vllm@0.8.3"},{"url":"http://public2.vulnerablecode.io/api/packages/45032?format=json","purl":"pkg:pypi/vllm@0.8.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ec1-1h6d-tuaq"},{"vulnerability":"VCID-e8w2-9rwg-u7ba"},{"vulnerability":"VCID-fxgs-s1vm-8bez"},{"vulnerability":"VCID-nctw-rz8h-f3af"},{"vulnerability":"VCID-qake-z4ec-wkdu"},{"vulnerability":"VCID-svzy-7pke-2bdr"},{"vulnerability":"VCID-ugds-eqgw-fbbz"},{"vulnerability":"VCID-za3a-c9m1-jqgz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vllm@0.8.4"},{"url":"http://public2.vulnerablecode.io/api/packages/45033?format=json","purl":"pkg:pypi/vllm@0.8.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ec1-1h6d-tuaq"},{"vulnerability":"VCID-e8w2-9rwg-u7ba"},{"vulnerability":"VCID-nctw-rz8h-f3af"},{"vulnerability":"VCID-qake-z4ec-wkdu"},{"vulnerability":"VCID-svzy-7pke-2bdr"},{"vulnerability":"VCID-ugds-eqgw-fbbz"},{"vulnerability":"VCID-za3a-c9m1-jqgz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vllm@0.8.5"},{"url":"http://public2.vulnerablecode.io/api/packages/45282?format=json","purl":"pkg:pypi/vllm@0.8.5.post1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ec1-1h6d-tuaq"},{"vulnerability":"VCID-e8w2-9rwg-u7ba"},{"vulnerability":"VCID-nctw-rz8h-f3af"},{"vulnerability":"VCID-qake-z4ec-wkdu"},{"vulnerability":"VCID-svzy-7pke-2bdr"},{"vulnerability":"VCID-ugds-eqgw-fbbz"},{"vulnerability":"VCID-za3a-c9m1-jqgz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vllm@0.8.5.post1"}],"references":[{"reference_url":"https://github.com/vllm-project/vllm/commit/4fc1bf813ad80172c1db31264beaef7d93fe0601","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/vllm-project/vllm/commit/4fc1bf813ad80172c1db31264beaef7d93fe0601"},{"reference_url":"https://github.com/vllm-project/vllm/pull/18454","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/vllm-project/vllm/pull/18454"},{"reference_url":"https://github.com/vllm-project/vllm/security/advisories/GHSA-w6q7-j642-7c25","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/vllm-project/vllm/security/advisories/GHSA-w6q7-j642-7c25"}],"weaknesses":[],"exploits":[],"severity_range_score":null,"exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ugds-eqgw-fbbz"}