Moderate severityNVD Advisory· Published Sep 6, 2025· Updated Sep 8, 2025
xgrammar vulnerable to denial of service by huge enum grammar
CVE-2025-58446
Description
xgrammar is an open-source library for efficient, flexible, and portable structured generation. A grammar optimizer introduced in 0.1.23 processes large grammars (>100k characters) at very low rates, and can be used for DOS of model providers. This issue is fixed in version 0.1.24.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
xgrammarPyPI | >= 0.1.23, < 0.1.24 | 0.1.24 |
Affected products
4- osv-coords3 versionspkg:apk/chainguard/tritonserver-backend-vllm-cuda-12.9pkg:apk/chainguard/tritonserver-backend-vllm-meta-cuda-12.9pkg:pypi/xgrammar
< 25.7.1_git20251001-r1+ 2 more
- (no CPE)range: < 25.7.1_git20251001-r1
- (no CPE)range: < 25.7.1_git20251001-r1
- (no CPE)range: >= 0.1.23, < 0.1.24
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-9q5r-wfvf-rr7fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-58446ghsaADVISORY
- github.com/mlc-ai/xgrammar/commit/ced69c3ad2f8f61b516cc278a342e7c644383e27ghsax_refsource_MISCWEB
- github.com/mlc-ai/xgrammar/security/advisories/GHSA-9q5r-wfvf-rr7fghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.