Common Weakness Enumeration

CWE-248

Allowed

Uncaught Exception

Abstraction: Base · Status: Draft

An exception is thrown from a function, but it is not caught.

422 vulnerabilities reference this CWE, most recent first.

GHSA-8RVJ-6HP5-GF5X

Vulnerability from github – Published: 2025-11-14 18:31 – Updated: 2025-11-14 18:31
VLAI
Details

On affected platforms running Arista EOS, certain serial console input might result in an unexpected reload of the device.153

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-8870"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-14T16:15:59Z",
    "severity": "MODERATE"
  },
  "details": "On affected platforms running Arista EOS, certain serial console input might result in an unexpected reload of the device.153",
  "id": "GHSA-8rvj-6hp5-gf5x",
  "modified": "2025-11-14T18:31:39Z",
  "published": "2025-11-14T18:31:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8870"
    },
    {
      "type": "WEB",
      "url": "https://www.arista.com/en/support/advisories-notices/security-advisory/22811-security-advisory-0125"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-8XFF-473H-F863

Vulnerability from github – Published: 2024-02-21 00:00 – Updated: 2024-02-21 00:00
VLAI
Summary
Uncaught Exception Handling Parsing Errors on Line Terminators
Details

The span rendering would panic when handling failed parsing of queries where the error occurred on a line terminator character.

Impact

A client that is authorized to run queries in a SurrealDB server is able to execute a malformed query which will fail to parse on a line terminator character and cause a panic in the span rendering code. This will crash the server, leading to denial of service.

Patches

  • Version 1.2.1 and later are not affected by this issue.

Workarounds

Concerned users unable to update may want to limit the ability of untrusted users to run arbitrary SurrealQL queries in the affected versions of SurrealDB. To limit the impact of the denial of service, SurrealDB administrators may also want to ensure that the SurrealDB process is running so that it can be automatically re-started after a crash.

References

  • 3527

  • https://github.com/StarlaneStudios/Surrealist/issues/177
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.2.0"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "surrealdb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-21T00:00:54Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "The span rendering would panic when handling failed parsing of queries where the error occurred on a line terminator character.\n\n### Impact\n\nA client that is authorized to run queries in a SurrealDB server is able to execute a malformed query which will fail to parse on a line terminator character and cause a panic in the span rendering code. This will crash the server, leading to denial of service.\n\n### Patches\n\n- Version 1.2.1 and later are not affected by this issue.\n\n### Workarounds\n\nConcerned users unable to update may want to limit the ability of untrusted users to run arbitrary SurrealQL queries in the affected versions of SurrealDB. To limit the impact of the denial of service, SurrealDB administrators may also want to ensure that the SurrealDB process is running so that it can be automatically re-started after a crash.\n\n### References\n\n- #3527\n- https://github.com/StarlaneStudios/Surrealist/issues/177",
  "id": "GHSA-8xff-473h-f863",
  "modified": "2024-02-21T00:00:54Z",
  "published": "2024-02-21T00:00:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/security/advisories/GHSA-8xff-473h-f863"
    },
    {
      "type": "WEB",
      "url": "https://github.com/StarlaneStudios/Surrealist/issues/177"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/surrealdb/surrealdb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Uncaught Exception Handling Parsing Errors on Line Terminators"
}

GHSA-93Q9-3XPQ-2256

Vulnerability from github – Published: 2025-08-29 09:31 – Updated: 2025-08-29 09:31
VLAI
Details

Uncaught exception issue exists in Multiple products in bizhub series. If a malformed file is imported as an S/MIME Email certificate, it may cause a denial-of-service issue that disable the Web Connection feature.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-54777"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-29T07:15:32Z",
    "severity": "MODERATE"
  },
  "details": "Uncaught exception issue exists in Multiple products in bizhub series. If a malformed file is imported as an S/MIME Email certificate, it may cause a denial-of-service issue that disable the Web Connection feature.",
  "id": "GHSA-93q9-3xpq-2256",
  "modified": "2025-08-29T09:31:24Z",
  "published": "2025-08-29T09:31:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54777"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/vu/JVNVU99831542"
    },
    {
      "type": "WEB",
      "url": "https://www.konicaminolta.jp/business/support/important/250829_01_01.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-954H-PP6M-W6FR

Vulnerability from github – Published: 2025-02-13 00:33 – Updated: 2025-02-13 00:33
VLAI
Details

Uncaught exception in OpenBMC Firmware for the Intel(R) Server M50FCP Family and Intel(R) Server D50DNP Family before version R01.02.0002 may allow an authenticated user to potentially enable denial of service via network access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-20097"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-12T22:15:41Z",
    "severity": "MODERATE"
  },
  "details": "Uncaught exception in OpenBMC Firmware for the Intel(R) Server M50FCP Family and Intel(R) Server D50DNP Family before version R01.02.0002 may allow an authenticated user to potentially enable denial of service via network access.",
  "id": "GHSA-954h-pp6m-w6fr",
  "modified": "2025-02-13T00:33:07Z",
  "published": "2025-02-13T00:33:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20097"
    },
    {
      "type": "WEB",
      "url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-00990.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-95C3-QH99-CVF2

Vulnerability from github – Published: 2024-06-25 03:31 – Updated: 2024-07-02 21:32
VLAI
Details

badmonkey, a Security Researcher has found a flaw that allows for a unauthenticated DoS attack on the camera. An attacker runs a crafted URL, nobody can access the web management page of the camera. and must manually restart the device or re-power it. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-5038"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-25T03:15:09Z",
    "severity": "HIGH"
  },
  "details": "badmonkey, a Security Researcher has found a flaw that allows for a unauthenticated DoS attack on the camera. An attacker runs a crafted URL, nobody can access the web management page of the camera. and must manually restart the device or re-power it. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer\u0027s report for details and workarounds.",
  "id": "GHSA-95c3-qh99-cvf2",
  "modified": "2024-07-02T21:32:06Z",
  "published": "2024-06-25T03:31:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5038"
    },
    {
      "type": "WEB",
      "url": "https://www.hanwhavision.com/wp-content/uploads/2024/06/Camera-Vulnerability-Report-CVE-2023-5037-5038.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-95Q3-PPPP-R683

Vulnerability from github – Published: 2022-05-14 01:38 – Updated: 2022-11-01 22:33
VLAI
Summary
Crash when decoding malformed HTTP requests or malformed JSON payload
Details

When parsing a malformed JSON payload, libprocess in Apache Mesos versions 1.4.0 to 1.5.0 might crash due to an uncaught exception. Parsing chunked HTTP requests with trailers can lead to a libprocess crash too because of the mistakenly planted assertion. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.mesos:mesos"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.4.0"
            },
            {
              "fixed": "1.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-1330"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-01T22:33:40Z",
    "nvd_published_at": "2018-09-13T19:29:00Z",
    "severity": "HIGH"
  },
  "details": "When parsing a malformed JSON payload, libprocess in Apache Mesos versions 1.4.0 to 1.5.0 might crash due to an uncaught exception. Parsing chunked HTTP requests with trailers can lead to a libprocess crash too because of the mistakenly planted assertion. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable.",
  "id": "GHSA-95q3-pppp-r683",
  "modified": "2022-11-01T22:33:40Z",
  "published": "2022-05-14T01:38:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1330"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/395cb6bcf367702acd1e580a1f39b56cdd7a5953d0368b4c1adb1dde@\u003cdev.mesos.apache.org\u003e"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Crash when decoding malformed HTTP requests or malformed JSON payload"
}

GHSA-98FP-7V67-4V3Q

Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-21 21:56
VLAI
Summary
PyTorch Lightning denial of service vulnerability
Details

A vulnerability in lightning-ai/pytorch-lightning version 2.3.2 allows an attacker to cause a denial of service by sending an unexpected POST request to the /api/v1/state endpoint of LightningApp. This issue occurs due to improper handling of unexpected state values, which results in the server shutting down.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pytorch-lightning"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-8020"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-21T21:56:43Z",
    "nvd_published_at": "2025-03-20T10:15:39Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in lightning-ai/pytorch-lightning version 2.3.2 allows an attacker to cause a denial of service by sending an unexpected POST request to the `/api/v1/state` endpoint of `LightningApp`. This issue occurs due to improper handling of unexpected state values, which results in the server shutting down.",
  "id": "GHSA-98fp-7v67-4v3q",
  "modified": "2025-03-21T21:56:43Z",
  "published": "2025-03-20T12:32:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8020"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Lightning-AI/pytorch-lightning"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/8b642a78-2b80-4fb0-9b2f-8ba0ff37db6a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PyTorch Lightning denial of service vulnerability"
}

GHSA-98V9-3HQ2-88Q8

Vulnerability from github – Published: 2025-10-14 15:31 – Updated: 2025-10-14 15:31
VLAI
Details

A denial-of-service security issue in the affected product. The security issue stems from a fault occurring when a crafted CIP unconnected explicit message is sent. This can result in a major non-recoverable fault.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-9124"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-14T13:15:40Z",
    "severity": "HIGH"
  },
  "details": "A denial-of-service security issue in the affected product. The security issue stems from a fault occurring when a crafted CIP unconnected explicit message is sent. This can result in a major non-recoverable fault.",
  "id": "GHSA-98v9-3hq2-88q8",
  "modified": "2025-10-14T15:31:27Z",
  "published": "2025-10-14T15:31:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9124"
    },
    {
      "type": "WEB",
      "url": "https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1755.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-99F4-GRH7-6PCQ

Vulnerability from github – Published: 2026-06-11 13:27 – Updated: 2026-06-11 13:27
VLAI
Summary
@grpc/grpc-js: An incoming malformed compressed message can cause a client or server crash
Details

Impact

An invalid incoming compressed message can cause a client or server process to crash. This affects all clients and servers that use @grpc/grpc-js

Patches

The following version have fixes for this vulnerability:

  • 1.9.16
  • 1.10.12
  • 1.11.4
  • 1.12.7
  • 1.13.5
  • 1.14.4

Workarounds

There is no workaround.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@grpc/grpc-js"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.9.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@grpc/grpc-js"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.10.0"
            },
            {
              "fixed": "1.10.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@grpc/grpc-js"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.11.0"
            },
            {
              "fixed": "1.11.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@grpc/grpc-js"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.12.0"
            },
            {
              "fixed": "1.12.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@grpc/grpc-js"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.13.0"
            },
            {
              "fixed": "1.13.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@grpc/grpc-js"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.14.0"
            },
            {
              "fixed": "1.14.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-48069"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-11T13:27:44Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\nAn invalid incoming compressed message can cause a client or server process to crash. This affects all clients and servers that use @grpc/grpc-js\n\n### Patches\nThe following version have fixes for this vulnerability:\n\n - 1.9.16\n - 1.10.12\n - 1.11.4\n - 1.12.7\n - 1.13.5\n - 1.14.4\n\n### Workarounds\nThere is no workaround.",
  "id": "GHSA-99f4-grh7-6pcq",
  "modified": "2026-06-11T13:27:44Z",
  "published": "2026-06-11T13:27:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/grpc/grpc-node/security/advisories/GHSA-99f4-grh7-6pcq"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/grpc/grpc-node"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.10.12"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.11.4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.12.7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.13.5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.14.4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.9.16"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@grpc/grpc-js: An incoming malformed compressed message can cause a client or server crash"
}

GHSA-9HCF-V7M4-6M2J

Vulnerability from github – Published: 2025-05-28 19:42 – Updated: 2025-06-27 21:07
VLAI
Summary
vLLM allows clients to crash the openai server with invalid regex
Details

Impact

A denial of service bug caused the vLLM server to crash if an invalid regex was provided while using structured output. This vulnerability is similar to GHSA-6qc9-v4r8-22xg, but for regex instead of a JSON schema.

Issue with more details: https://github.com/vllm-project/vllm/issues/17313

Patches

  • https://github.com/vllm-project/vllm/pull/17623
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "vllm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.8.0"
            },
            {
              "fixed": "0.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-48943"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-28T19:42:12Z",
    "nvd_published_at": "2025-05-30T19:15:30Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nA denial of service bug caused the vLLM server to crash if an invalid regex was provided while using structured output. This vulnerability is similar to [GHSA-6qc9-v4r8-22xg](https://github.com/vllm-project/vllm/security/advisories/GHSA-6qc9-v4r8-22xg), but for regex instead of a JSON schema.\n\nIssue with more details: https://github.com/vllm-project/vllm/issues/17313\n\n### Patches\n\n* https://github.com/vllm-project/vllm/pull/17623",
  "id": "GHSA-9hcf-v7m4-6m2j",
  "modified": "2025-06-27T21:07:04Z",
  "published": "2025-05-28T19:42:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-9hcf-v7m4-6m2j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48943"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vllm-project/vllm/issues/17313"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vllm-project/vllm/pull/17623"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vllm-project/vllm/commit/08bf7840780980c7568c573c70a6a8db94fd45ff"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vllm/PYSEC-2025-55.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vllm-project/vllm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "vLLM allows clients to crash the openai server with invalid regex"
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.