AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2025-71379: vLLM versions >= 0.6.3 and < 0.9.0 contain multiple regular expression denial of service (ReDoS) vulnerabilities. Severa

mediumvulnerabilityLLM-Specific

security

Source: NVD/CVE DatabaseJune 20, 2026CVE-2025-71379

Summary

vLLM versions 0.6.3 through 0.9.0 contain ReDoS (regular expression denial of service, where specially crafted text causes regex patterns to consume excessive CPU time) vulnerabilities in several components including the LoRA utility parser, phi4mini tool parser, and OpenAI chat endpoint. An attacker can send malicious input with nested or repeated structures to trigger severe CPU consumption and make the service unavailable.

Vulnerability Details

CVSS Score

4.3(medium)

EPSS (30-day exploit probability)

EPSS: 0.0%

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Attack Vector

network

Attack Complexity

low

Privileges Required

low

User Interaction

none

Disclosure Date

June 20, 2026

Classification

Attack Type

DoS

Attack SophisticationModerate

Impact (CIA+S)

availability

AI Component TargetedInference

Taxonomy References

CWE (Weakness Type)

CWE-1333

Affected Vendors

Related Issues

medium

CVE-2022-29200: TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implem

Similar attackNVD/CVE Database

low

CVE-2021-29541: TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a dereference of a null p

Similar attack

Monthly digest — independent AI security research

Original source: https://nvd.nist.gov/vuln/detail/CVE-2025-71379

First tracked: June 21, 2026 at 02:35 AM

Classified by LLM (prompt v3) · confidence: 95%