Listen to this Post
How the CVE Works
CVE-2025-48942 is a DoS vulnerability in vLLM (0.8.0 to 0.9.0) triggered by sending a malformed `json_schema` in a Guided Param to the `/v1/completions` API endpoint. The invalid schema causes the server to crash instead of gracefully rejecting the request. This occurs due to insufficient input validation in the schema parsing logic, similar to CVE-2025-48943 (which affects regex handling). The flaw allows an attacker to disrupt LLM inference services by repeatedly sending crafted requests.
DailyCVE Form
Platform: vLLM
Version: 0.8.0 – 0.9.0
Vulnerability: DoS
Severity: Critical
Date: 06/24/2025
Prediction: Patch expected by 07/15/2025
What Undercode Say
curl -X POST http://vllm-server/v1/completions -H "Content-Type: application/json" -d '{"guided_json_schema": "{INVALID_JSON}"}'
import requests
requests.post("http://vllm-server/v1/completions", json={"guided_json_schema": "{MALFORMED}"})
How Exploit
Send malformed JSON schema to `/v1/completions` to crash server.
Protection from this CVE
Upgrade to vLLM 0.9.0.
Impact
Service disruption, LLM unavailability.
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
