GHSA-w6q7-j642-7c25: vLLM has a Regular Expression Denial of Service (ReDoS, Exponential Complexity) Vulnerability in `pythonic_tool_parser.py`

May 28, 2025

A Regular Expression Denial of Service (ReDoS) vulnerability exists in the file vllm/entrypoints/openai/tool_parsers/pythonic_tool_parser.py of the vLLM project. The root cause is the use of a highly complex and nested regular expression for tool call detection, which can be exploited by an attacker to cause severe performance degradation or make the service unavailable.

References

github.com/advisories/GHSA-w6q7-j642-7c25
github.com/vllm-project/vllm
github.com/vllm-project/vllm/commit/4fc1bf813ad80172c1db31264beaef7d93fe0601
github.com/vllm-project/vllm/pull/18454
github.com/vllm-project/vllm/security/advisories/GHSA-w6q7-j642-7c25

Code Behaviors & Features

Detect and mitigate GHSA-w6q7-j642-7c25 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →