CVE-2025-58446 MEDIUM

CVE-2025-58446: xgrammar vulnerable to denial of service by huge enum grammar

Vendor Mlc-Ai
Product xgrammar
Weakness CWE-770 · Uncontrolled resource consumption
Published September 6, 2025
Last update September 8, 2025

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

xgrammar is an open-source library for efficient, flexible, and portable structured generation. A grammar optimizer introduced in 0.1.23 processes large grammars (>100k characters) at very low rates, and can be used for DOS of model providers. This issue is fixed in version 0.1.24.

Key dates

02Disclosure timeline

September 6, 2025 CVE published
September 8, 2025 Record updated

Related vulnerabilities

04Related CVE