CVE-2025-48887: vLLM has a Regular Expression Denial of Service (ReDoS, Exponential Complexity) Vulnerability in `pythonic_tool_parser.py`
(updated )
A Regular Expression Denial of Service (ReDoS) vulnerability exists in the file vllm/entrypoints/openai/tool_parsers/pythonic_tool_parser.py of the vLLM project. The root cause is the use of a highly complex and nested regular expression for tool call detection, which can be exploited by an attacker to cause severe performance degradation or make the service unavailable.
References
- github.com/advisories/GHSA-w6q7-j642-7c25
- github.com/pypa/advisory-database/tree/main/vulns/vllm/PYSEC-2025-50.yaml
- github.com/vllm-project/vllm
- github.com/vllm-project/vllm/commit/4fc1bf813ad80172c1db31264beaef7d93fe0601
- github.com/vllm-project/vllm/pull/18454
- github.com/vllm-project/vllm/security/advisories/GHSA-w6q7-j642-7c25
- nvd.nist.gov/vuln/detail/CVE-2025-48887
Code Behaviors & Features
Detect and mitigate CVE-2025-48887 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →