Описание
xgrammar is an open-source library for efficient, flexible, and portable structured generation. A grammar optimizer introduced in 0.1.23 processes large grammars (>100k characters) at very low rates, and can be used for DOS of model providers. This issue is fixed in version 0.1.24.
Отчет
This vulnerability is rated as a moderate severity because there is an algorithmic complexity vulnerability exists in the grammar optimizer component, where a remote, unauthenticated attacker can trigger this flaw with low complexity by submitting a specially crafted, large grammar (over 100,000 characters) for processing. This action leads to excessive CPU consumption and prolonged processing delays, causing a Denial of Service (DoS) and compromising system Availability.
Меры по смягчению последствий
Upgrade to xgrammar version 0.1.24 or later. The patched version directly addresses the root cause by optimizing the speed of the grammar optimizer and disabling certain slow optimization routines when processing very large grammars. This action prevents the excessive processing time that leads to the DoS condition.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat AI Inference Server | rhaiis/vllm-cuda-rhel9 | Not affected | ||
| Red Hat AI Inference Server | rhaiis/vllm-rocm-rhel9 | Not affected | ||
| Red Hat AI Inference Server | rhaiis/vllm-tpu-rhel9 | Not affected | ||
| Red Hat Enterprise Linux AI (RHEL AI) | rhelai1/bootc-amd-rhel9 | Not affected | ||
| Red Hat Enterprise Linux AI (RHEL AI) | rhelai1/bootc-aws-nvidia-rhel9 | Not affected | ||
| Red Hat Enterprise Linux AI (RHEL AI) | rhelai1/bootc-azure-amd-rhel9 | Not affected | ||
| Red Hat Enterprise Linux AI (RHEL AI) | rhelai1/bootc-azure-nvidia-rhel9 | Not affected | ||
| Red Hat Enterprise Linux AI (RHEL AI) | rhelai1/bootc-gcp-nvidia-rhel9 | Not affected | ||
| Red Hat Enterprise Linux AI (RHEL AI) | rhelai1/bootc-intel-rhel9 | Not affected | ||
| Red Hat Enterprise Linux AI (RHEL AI) | rhelai1/bootc-nvidia-rhel9 | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
xgrammar is an open-source library for efficient, flexible, and portable structured generation. A grammar optimizer introduced in 0.1.23 processes large grammars (>100k characters) at very low rates, and can be used for DOS of model providers. This issue is fixed in version 0.1.24.
xgrammar vulnerable to denial of service by huge enum grammar
EPSS
7.5 High
CVSS3