Описание
XGrammar is an open-source library for efficient, flexible, and portable structured generation. Prior to version 0.1.21, XGrammar has an infinite recursion issue in the grammar. This issue has been resolved in version 0.1.21.
A flaw was found in xgrammar. Recursive grammar definitions could trigger infinite recursion during parsing in GrammarMatcherBase::ExpandEquivalentStackElements, leading to unbounded stack growth and a segmentation fault. This vulnerability allows remote attackers to cause a denial of service (DoS) when untrusted grammar is processed.
Отчет
This vulnerability is considered Important because it can be exploited remotely, without authentication or user interaction, and directly impacts the availability of systems that rely on xgrammar for structured output parsing. Unlike a Moderate flaw that might require unusual conditions or only cause partial degradation, the infinite recursion issue reliably leads to process termination or complete resource exhaustion when malicious input is supplied. Since xgrammar is often integrated into long-running LLM inference services or API backends, a single crafted grammar can consistently force these services into a denial-of-service state, making it a practical, high-impact attack vector. While it does not compromise confidentiality or integrity, the ease of exploitation, network accessibility, and total loss of availability elevate it from a moderate to an important security issue.
Меры по смягчению последствий
Mitigation is either unavailable or does not meet Red Hat Product Security standards for usability, deployment, applicability, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat AI Inference Server | rhaiis/vllm-cuda-rhel9 | Affected | ||
| Red Hat AI Inference Server | rhaiis/vllm-rocm-rhel9 | Affected | ||
| Red Hat Enterprise Linux AI (RHEL AI) | rhelai1/bootc-amd-rhel9 | Affected | ||
| Red Hat Enterprise Linux AI (RHEL AI) | rhelai1/bootc-aws-nvidia-rhel9 | Affected | ||
| Red Hat Enterprise Linux AI (RHEL AI) | rhelai1/bootc-azure-amd-rhel9 | Affected | ||
| Red Hat Enterprise Linux AI (RHEL AI) | rhelai1/bootc-azure-nvidia-rhel9 | Affected | ||
| Red Hat Enterprise Linux AI (RHEL AI) | rhelai1/bootc-gcp-nvidia-rhel9 | Affected | ||
| Red Hat Enterprise Linux AI (RHEL AI) | rhelai1/bootc-intel-rhel9 | Affected | ||
| Red Hat Enterprise Linux AI (RHEL AI) | rhelai1/bootc-nvidia-rhel9 | Affected | ||
| Red Hat Enterprise Linux AI (RHEL AI) | rhelai1/instructlab-amd-rhel9 | Affected |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
XGrammar is an open-source library for efficient, flexible, and portable structured generation. Prior to version 0.1.21, XGrammar has an infinite recursion issue in the grammar. This issue has been resolved in version 0.1.21.
XGrammar affected by Denial of Service by infinite recursion grammars
7.5 High
CVSS3