CVE-2025-48942: vLLM DOS: Remotely kill vllm over http with invalid JSON schema
(updated )
Hitting the /v1/completions API with a invalid json_schema as a Guided Param will kill the vllm server
References
- github.com/advisories/GHSA-6qc9-v4r8-22xg
- github.com/pypa/advisory-database/tree/main/vulns/vllm/PYSEC-2025-54.yaml
- github.com/vllm-project/vllm
- github.com/vllm-project/vllm/commit/08bf7840780980c7568c573c70a6a8db94fd45ff
- github.com/vllm-project/vllm/issues/17248
- github.com/vllm-project/vllm/pull/17623
- github.com/vllm-project/vllm/security/advisories/GHSA-6qc9-v4r8-22xg
- nvd.nist.gov/vuln/detail/CVE-2025-48942
Code Behaviors & Features
Detect and mitigate CVE-2025-48942 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →