{"id":"GHSA-389x-67px-mjg3","summary":"xgrammar Vulnerable to Denial of Service (DoS) by abusing unbounded cache in memory","details":"### Summary\n\nXgrammar includes a cache for compiled grammars to increase performance with repeated use of the same grammar. This cache is held in memory. Since the cache is unbounded, a system making use of xgrammar can be abused to fill up a host's memory and case a denial of service. For example, sending many small requests to an LLM inference server with unique JSON schemas would eventually cause this denial of service to occur.\n\n### Details\n\nThe fix is to add a limit to the cache size. This was done in https://github.com/mlc-ai/xgrammar/pull/243\n\nAn example of making use of the new cache size limit can be found in vLLM here: https://github.com/vllm-project/vllm/pull/16283\n\n### Impact\n\nAny system making use of Xgrammar and taking requests as input from potentially untrusted parties would be vulnerable to this denial of service issue.","aliases":["CVE-2025-32381"],"modified":"2026-02-04T02:14:22.887263Z","published":"2025-04-09T13:08:59Z","related":["CGA-3ccf-2c97-5969"],"database_specific":{"severity":"MODERATE","github_reviewed":true,"cwe_ids":["CWE-770"],"nvd_published_at":"2025-04-09T16:15:26Z","github_reviewed_at":"2025-04-09T13:08:59Z"},"references":[{"type":"WEB","url":"https://github.com/mlc-ai/xgrammar/security/advisories/GHSA-389x-67px-mjg3"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32381"},{"type":"WEB","url":"https://github.com/mlc-ai/xgrammar/pull/243"},{"type":"WEB","url":"https://github.com/vllm-project/vllm/pull/16283"},{"type":"PACKAGE","url":"https://github.com/mlc-ai/xgrammar"}],"affected":[{"package":{"name":"xgrammar","ecosystem":"PyPI","purl":"pkg:pypi/xgrammar"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.1.18"}]}],"versions":["0.1.0","0.1.1","0.1.10","0.1.11","0.1.12","0.1.13","0.1.14","0.1.15","0.1.16","0.1.17","0.1.2","0.1.3","0.1.4","0.1.4rc2","0.1.5","0.1.5rc1","0.1.6","0.1.7","0.1.8","0.1.9"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-389x-67px-mjg3/GHSA-389x-67px-mjg3.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}