Vulnerability  ·  2026-07-07

vLLM — Uncompiled-Timeout Regex DoS via structured_outputs.regex Parameter

VulnerabilityHigh impactGlobalCVE-2026-55574
vLLM's structured-output feature compiles user-supplied regexes into constrained-decoding grammars without any timeout, so a crafted regex can hang the grammar compiler and consume server resources indefinitely, denying service to all other requests on a shared vLLM instance.
vLLM underpins production LLM inference for many organizations; a remote, unauthenticated DoS against a core structured-output feature can take down multi-tenant inference clusters serving many downstream AI applications at once.
The structured_outputs.regex API parameter passes a user-supplied regular expression string directly to grammar compiler backends (e.g. xgrammar) with no compilation timeout, allowing a remote unauthenticated caller to submit a catastrophic-backtracking regex that hangs the compiler and denies service to the shared inference server.
vLLM inference/serving engine, versions prior to 0.24.0
Upgrade to vLLM >= 0.24.0, which adds compilation timeouts to structured-output regex handling.
NVD CVE-2026-55574vLLM fix commit
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →