GHSA-j828-28rj-hfhp: vLLM vulnerable to Regular Expression Denial of Service

May 28, 2025

A recent review identified several regular expressions in the vllm codebase that are susceptible to Regular Expression Denial of Service (ReDoS) attacks. These patterns, if fed with crafted or malicious input, may cause severe performance degradation due to catastrophic backtracking.

References

github.com/advisories/GHSA-j828-28rj-hfhp
github.com/vllm-project/vllm
github.com/vllm-project/vllm/commit/4fc1bf813ad80172c1db31264beaef7d93fe0601
github.com/vllm-project/vllm/pull/18454
github.com/vllm-project/vllm/security/advisories/GHSA-j828-28rj-hfhp

Code Behaviors & Features

Detect and mitigate GHSA-j828-28rj-hfhp with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →