Skip to main content

xgrammar CVE-2026-25048

HIGH
Uncontrolled Recursion (CWE-674)
2026-03-05 security-advisories@github.com GHSA-7rgv-gqhr-fxg3
8.7
CVSS 4.0 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Network-reachable, low-complexity, unauthenticated trigger via attacker-supplied nested grammar; impact is process crash only, so C:N/I:N and A:H with unchanged scope.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

10
Analysis Updated
Jun 30, 2026 - 05:05 vuln.today
v5 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 05:03 vuln.today
v4 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 05:02 vuln.today
v3 (cvss_changed)
Source Code Evidence Fetched
Jun 30, 2026 - 05:01 vuln.today
Analysis Updated
Jun 30, 2026 - 05:01 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 30, 2026 - 03:24 vuln.today
cvss_changed
CVSS changed
Jun 30, 2026 - 03:24 NVD
7.5 (HIGH) 8.7 (HIGH)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 22:06 vuln.today
CVE Published
Mar 05, 2026 - 16:16 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2 pypi packages depend on xgrammar (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 0.1.32.

DescriptionCVE.org

xgrammar is an open-source library for efficient, flexible, and portable structured generation. Prior to version 0.1.32, the multi-level nested syntax caused a segmentation fault (core dumped). This issue has been patched in version 0.1.32.

AnalysisAI

Denial of service in the mlc-ai xgrammar structured-generation library (versions prior to 0.1.32) allows remote attackers to crash the host process via deeply multi-level nested grammar syntax that triggers a segmentation fault (core dump). Because xgrammar is typically embedded in LLM inference servers to constrain model output, an attacker who can influence the grammar/schema passed to the engine can take the service offline. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.06%), but the issue is fixed and has been picked up in multiple Red Hat advisories.

Technical ContextAI

xgrammar is an open-source library (vendor mlc-ai, CPE cpe:2.3:a:mlc-ai:xgrammar) that compiles context-free grammars/JSON schemas into constraints for structured/guided generation in large language model serving stacks. The flaw is classified as CWE-674 (Uncontrolled Recursion): the grammar parser/matcher recurses without an effective depth bound, so multi-level nested syntax drives the parser into unbounded recursion that exhausts the native stack and causes a segmentation fault (core dumped). This is a memory-safety/availability failure in the native (C++/compiled) grammar-processing path rather than a logic bug in the Python wrapper, which is why it manifests as a process-terminating crash rather than a handled exception.

RemediationAI

Vendor-released patch: upgrade xgrammar to version 0.1.32 or later (https://github.com/mlc-ai/xgrammar/releases/tag/v0.1.32), per advisory GHSA-7rgv-gqhr-fxg3. If you consume xgrammar through a Red Hat product, apply the corresponding errata (RHSA-2026:5809, RHSA-2026:6761, RHSA-2026:6762, or RHSA-2026:24977) to pick up the rebuilt package. Where immediate upgrade is not possible, reduce exposure by not allowing untrusted clients to supply arbitrary grammars/JSON schemas to the inference engine - restrict grammar input to server-side trusted templates, and add input validation that rejects excessively deep nesting before it reaches the parser (trade-off: legitimate deeply-nested schemas would be refused). Additionally place the inference endpoint behind authentication/rate limiting and run the worker under a supervisor that auto-restarts on crash to limit DoS dwell time (trade-off: restart-on-crash masks but does not prevent repeated outages).

Vendor StatusVendor

Share

CVE-2026-25048 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy