{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "last_affected": "0.1.23" } ] }, "events": [ { "introduced": "0" }, { "last_affected": "16e5298ed9b74fba1c8674b21996b0f47d95276d" }, { "fixed": "ced69c3ad2f8f61b516cc278a342e7c644383e27" } ], "repo": "https://github.com/mlc-ai/xgrammar", "type": "GIT" } ] } ], "aliases": [ "GHSA-9q5r-wfvf-rr7f" ], "database_specific": { "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-770" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/58xxx/CVE-2025-58446.json" }, "details": "xgrammar is an open-source library for efficient, flexible, and portable structured generation. A grammar optimizer introduced in 0.1.23 processes large grammars (\u003e100k characters) at very low rates, and can be used for DOS of model providers. This issue is fixed in version 0.1.24.", "id": "CVE-2025-58446", "modified": "2026-04-01T23:10:35.279705901Z", "published": "2025-09-06T19:06:10.141Z", "references": [ { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/58xxx/CVE-2025-58446.json" }, { "type": "ADVISORY", "url": "https://github.com/mlc-ai/xgrammar/security/advisories/GHSA-9q5r-wfvf-rr7f" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58446" }, { "type": "FIX", "url": "https://github.com/mlc-ai/xgrammar/commit/ced69c3ad2f8f61b516cc278a342e7c644383e27" } ], "schema_version": "1.7.3", "severity": [ { "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "type": "CVSS_V4" } ], "summary": "xgrammar vulnerable to denial of service by huge enum grammar" }