xgrammar
CVE-2026-25048
HIGH
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable, low-complexity, unauthenticated trigger via attacker-supplied nested grammar; impact is process crash only, so C:N/I:N and A:H with unchanged scope.
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
10Blast Radius
ecosystem impact- 2 pypi packages depend on xgrammar (2 direct, 0 indirect)
Ecosystem-wide dependent count for version 0.1.32.
DescriptionCVE.org
xgrammar is an open-source library for efficient, flexible, and portable structured generation. Prior to version 0.1.32, the multi-level nested syntax caused a segmentation fault (core dumped). This issue has been patched in version 0.1.32.
AnalysisAI
Denial of service in the mlc-ai xgrammar structured-generation library (versions prior to 0.1.32) allows remote attackers to crash the host process via deeply multi-level nested grammar syntax that triggers a segmentation fault (core dump). Because xgrammar is typically embedded in LLM inference servers to constrain model output, an attacker who can influence the grammar/schema passed to the engine can take the service offline. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.06%), but the issue is fixed and has been picked up in multiple Red Hat advisories.
Technical ContextAI
xgrammar is an open-source library (vendor mlc-ai, CPE cpe:2.3:a:mlc-ai:xgrammar) that compiles context-free grammars/JSON schemas into constraints for structured/guided generation in large language model serving stacks. The flaw is classified as CWE-674 (Uncontrolled Recursion): the grammar parser/matcher recurses without an effective depth bound, so multi-level nested syntax drives the parser into unbounded recursion that exhausts the native stack and causes a segmentation fault (core dumped). This is a memory-safety/availability failure in the native (C++/compiled) grammar-processing path rather than a logic bug in the Python wrapper, which is why it manifests as a process-terminating crash rather than a handled exception.
RemediationAI
Vendor-released patch: upgrade xgrammar to version 0.1.32 or later (https://github.com/mlc-ai/xgrammar/releases/tag/v0.1.32), per advisory GHSA-7rgv-gqhr-fxg3. If you consume xgrammar through a Red Hat product, apply the corresponding errata (RHSA-2026:5809, RHSA-2026:6761, RHSA-2026:6762, or RHSA-2026:24977) to pick up the rebuilt package. Where immediate upgrade is not possible, reduce exposure by not allowing untrusted clients to supply arbitrary grammars/JSON schemas to the inference engine - restrict grammar input to server-side trusted templates, and add input validation that rejects excessively deep nesting before it reaches the parser (trade-off: legitimate deeply-nested schemas would be refused). Additionally place the inference endpoint behind authentication/rate limiting and run the worker under a supervisor that auto-restarts on crash to limit DoS dwell time (trade-off: restart-on-crash masks but does not prevent repeated outages).
XGrammar is an open-source library for efficient, flexible, and portable structured generation. Rated high severity (CVS
XGrammar is an open-source library for efficient, flexible, and portable structured generation. Rated medium severity (C
xgrammar is an open-source library for efficient, flexible, and portable structured generation. Rated medium severity (C
Same weakness CWE-674 – Uncontrolled Recursion
View allSame technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-7rgv-gqhr-fxg3