What is the CVSS score of CVE-2025-48887?

CVE-2025-48887 has a CVSS 3.1 base score of 6.5 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.3%.

Which versions of Vllm are affected by CVE-2025-48887?

CVE-2025-48887 presents notable security risk rated CVSS 6.5. Exploitation could compromise the security of affected deployments. Proof-of-concept code is publicly available.. A patch is available.

Is there a public PoC exploit available for CVE-2025-48887?

Yes, a public proof-of-concept exploit is available for CVE-2025-48887. Prioritise patching immediately. EPSS: 0.3%.

How to fix or mitigate CVE-2025-48887?

Within 7 days: Identify affected systems and apply vendor patches promptly. Vendor patch is available.

Vllm CVE-2025-48887

MEDIUM

Inefficient Regular Expression Complexity (ReDoS) (CWE-1333)

2025-05-30 security-advisories@github.com

Denial Of Service Vllm Red Hat

6.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

6.5 MEDIUM

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Red Hat

6.5 MEDIUM

qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:44 vuln.today

Patch released

Mar 28, 2026 - 18:44 nvd

Patch available

PoC Detected

Jun 19, 2025 - 00:55 vuln.today

Public exploit code

CVE Published

May 30, 2025 - 18:15 nvd

MEDIUM 6.5

DescriptionGitHub Advisory

vLLM, an inference and serving engine for large language models (LLMs), has a Regular Expression Denial of Service (ReDoS) vulnerability in the file vllm/entrypoints/openai/tool_parsers/pythonic_tool_parser.py of versions 0.6.4 up to but excluding 0.9.0. The root cause is the use of a highly complex and nested regular expression for tool call detection, which can be exploited by an attacker to cause severe performance degradation or make the service unavailable. The pattern contains multiple nested quantifiers, optional groups, and inner repetitions which make it vulnerable to catastrophic backtracking. Version 0.9.0 contains a patch for the issue.

AnalysisAI

vLLM, an inference and serving engine for large language models (LLMs), has a Regular Expression Denial of Service (ReDoS) vulnerability in the file. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified under CWE-1333. vLLM, an inference and serving engine for large language models (LLMs), has a Regular Expression Denial of Service (ReDoS) vulnerability in the file vllm/entrypoints/openai/tool_parsers/pythonic_tool_parser.py of versions 0.6.4 up to but excluding 0.9.0. The root cause is the use of a highly complex and nested regular expression for tool call detection, which can be exploited by an attacker to cause severe performance degradation or make the service unavailable. The pattern contains multiple nested quantifiers, optional groups, and inner repetitions which make it vulnerable to catastrophic backtracking. Version 0.9.0 contains a patch for the issue. Affected products include: Vllm. Version information: Version 0.9.0.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

Vendor StatusVendor

CVE-2025-48887 vulnerability details – vuln.today

Back

Vllm CVE-2025-48887

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Technical ContextAI

RemediationAI

Vendor StatusVendor

Share

External POC / Exploit Code