{"id":"PYSEC-2025-54","details":"vLLM is an inference and serving engine for large language models (LLMs). In versions 0.8.0 up to but excluding 0.9.0, hitting the  /v1/completions API with a invalid json_schema as a Guided Param kills the vllm server. This vulnerability is similar GHSA-9hcf-v7m4-6m2j/CVE-2025-48943, but for regex instead of a JSON schema. Version 0.9.0 fixes the issue.","aliases":["CVE-2025-48942","GHSA-6qc9-v4r8-22xg"],"modified":"2025-06-26T21:44:31.167227Z","published":"2025-05-30T19:15:30Z","references":[{"type":"EVIDENCE","url":"https://github.com/vllm-project/vllm/security/advisories/GHSA-6qc9-v4r8-22xg"},{"type":"FIX","url":"https://github.com/vllm-project/vllm/commit/08bf7840780980c7568c573c70a6a8db94fd45ff"},{"type":"REPORT","url":"https://github.com/vllm-project/vllm/pull/17623"},{"type":"REPORT","url":"https://github.com/vllm-project/vllm/issues/17248"}],"affected":[{"package":{"name":"vllm","ecosystem":"PyPI","purl":"pkg:pypi/vllm"},"ranges":[{"type":"GIT","repo":"https://github.com/vllm-project/vllm","events":[{"introduced":"0"},{"fixed":"08bf7840780980c7568c573c70a6a8db94fd45ff"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0.8.0"},{"fixed":"0.9.0"}]}],"versions":["0.8.0","0.8.1","0.8.2","0.8.3","0.8.4","0.8.5","0.8.5.post1"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/vllm/PYSEC-2025-54.yaml"}}],"schema_version":"1.7.3"}