CVE-2025-29770

CVE-2025-29770 is a medium-severity vulnerability in Vllm with a CVSS 3.x base score of 6.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-770.

Key facts

Description

vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. The outlines library is one of the backends used by vLLM to support structured output (a.k.a. guided decoding). Outlines provides an optional cache for its compiled grammars on the local filesystem. This cache has been on by default in vLLM. Outlines is also available by default through the OpenAI compatible API server. The affected code in vLLM is vllm/model_executor/guided_decoding/outlines_logits_processors.py, which unconditionally uses the cache from outlines. A malicious user can send a stream of very short decoding requests with unique schemas, resulting in an addition to the cache for each request. This can result in a Denial of Service if the filesystem runs out of space. Note that even if vLLM was configured to use a different backend by default, it is still possible to choose outlines on a per-request basis using the guided_decoding_backend key of the extra_body field of the request. This issue applies only to the V0 engine and is fixed in 0.8.0.

Frequently asked questions

What is CVE-2025-29770?
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. The outlines library is one of the backends used by vLLM to support structured output (a.k.a. guided decoding). Outlines provides an optional cache for its compiled grammars on the local filesystem. This cache has been on by default in vLLM. Outlines is also available by default through the OpenAI compatible API server. The affected code in vLLM is vllm/model_executor/guided_decoding/outlines_logits_processors.py, which unconditionally uses the cache from outlines. A malicious user can send a stream of very short decoding requests with unique schemas, resulting in an addition to the cache for each request. This can result in a Denial of Service if the filesystem runs out of space. Note that even if vLLM was configured to use a different backend by default, it is still possible to choose outlines on a per-request basis using the guided_decoding_backend key of the extra_body field of the request. This issue applies only to the V0 engine and is fixed in 0.8.0.
How severe is CVE-2025-29770?
CVE-2025-29770 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
Is CVE-2025-29770 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (34th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2025-29770?
CVE-2025-29770 affects Vllm. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2025-29770?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2025-29770 have an EU (EUVD) identifier?
Yes. CVE-2025-29770 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-6726.
When was CVE-2025-29770 published?
CVE-2025-29770 was published on 2025-03-19 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Vllm

All CVEs affecting Vllm →

Other CWE-770 (Allocation of Resources Without Limits or Throttling) vulnerabilities

Browse all CWE-770 (Allocation of Resources Without Limits or Throttling) vulnerabilities →