CVE-2026-55574

vLLM Project · vLLM

A vulnerability in the vLLM inference engine allows for potential denial-of-service attacks due to inefficient regular expression complexity.

Executive summary

The vLLM inference engine is vulnerable to an algorithmic complexity attack that could allow unauthenticated remote attackers to cause a denial-of-service condition.

Vulnerability

This vulnerability (CWE-1333) stems from inefficient regular expression complexity within the vLLM engine. An unauthenticated attacker can supply specially crafted inputs that trigger catastrophic backtracking, leading to high resource consumption and denial-of-service.

Business impact

Successful exploitation of this vulnerability can lead to significant system instability and denial-of-service, rendering the inference engine unresponsive to legitimate requests. Given the CVSS score of 8.7, this represents a high-severity risk to business continuity, particularly for organizations relying on vLLM for high-throughput AI workloads.

Remediation

Immediate Action: Upgrade to vLLM version 0.24.0 or later immediately to resolve the regular expression inefficiency.

Proactive Monitoring: Monitor server CPU and memory utilization for sudden, unexplained spikes that correlate with incoming inference requests.

Compensating Controls: Implement strict input validation or request rate limiting at the API gateway layer to prevent the submission of malicious, overly complex input strings.

Exploitation status

Public Exploit Available: false

Analyst recommendation

This vulnerability presents a clear risk to the availability of AI serving infrastructure. Administrators must prioritize updating to version 0.24.0 to eliminate the underlying regex vulnerability. Prompt patching is essential to prevent potential service disruptions.