CVE-2025-57809

XGrammar is an open-source library for efficient, flexible, and portable structured generation. Prior to version 0.1.21, XGrammar has an infinite recursion issue in the grammar. This issue has been resolved in version 0.1.21.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/mlc-ai/xgrammar/commit/b943feacb5a1caf4d39de8ec3bf7c7ce066dcee5	Patch
https://github.com/mlc-ai/xgrammar/issues/250	Exploit Issue Tracking
https://github.com/mlc-ai/xgrammar/security/advisories/GHSA-5cmr-4px5-23pc	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:mlc-ai:xgrammar:*:*:*:*:*:*:*:*

History

09 Sep 2025, 18:57

Type	Values Removed	Values Added
References	~~() https://github.com/mlc-ai/xgrammar/commit/b943feacb5a1caf4d39de8ec3bf7c7ce066dcee5 -~~	() https://github.com/mlc-ai/xgrammar/commit/b943feacb5a1caf4d39de8ec3bf7c7ce066dcee5 - Patch
References	~~() https://github.com/mlc-ai/xgrammar/issues/250 -~~	() https://github.com/mlc-ai/xgrammar/issues/250 - Exploit, Issue Tracking
References	~~() https://github.com/mlc-ai/xgrammar/security/advisories/GHSA-5cmr-4px5-23pc -~~	() https://github.com/mlc-ai/xgrammar/security/advisories/GHSA-5cmr-4px5-23pc - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
CPE		cpe:2.3:a:mlc-ai:xgrammar::::::::
First Time		Mlc-ai xgrammar Mlc-ai

26 Aug 2025, 13:41

Type	Values Removed	Values Added
Summary		(es) XGrammar es una librería de código abierto para la generación de estructuras eficiente, flexible y portátil. Antes de la versión 0.1.21, XGrammar presentaba un problema de recursión infinita en la gramática. Este problema se ha resuelto en la versión 0.1.21.

25 Aug 2025, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-25 22:15

Updated : 2025-09-09 18:57

NVD link : CVE-2025-57809

Mitre link : CVE-2025-57809

CVE.ORG link : CVE-2025-57809

JSON object : View

Products Affected

mlc-ai

xgrammar

CWE

CWE-674

Uncontrolled Recursion

{"id": "CVE-2025-57809", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-08-25T22:15:33.297", "references": [{"url": "https://github.com/mlc-ai/xgrammar/commit/b943feacb5a1caf4d39de8ec3bf7c7ce066dcee5", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/mlc-ai/xgrammar/issues/250", "tags": ["Exploit", "Issue Tracking"], "source": "security-advisories@github.com"}, {"url": "https://github.com/mlc-ai/xgrammar/security/advisories/GHSA-5cmr-4px5-23pc", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-674"}]}], "descriptions": [{"lang": "en", "value": "XGrammar is an open-source library for efficient, flexible, and portable structured generation. Prior to version 0.1.21, XGrammar has an infinite recursion issue in the grammar. This issue has been resolved in version 0.1.21."}, {"lang": "es", "value": "XGrammar es una librer\u00eda de c\u00f3digo abierto para la generaci\u00f3n de estructuras eficiente, flexible y port\u00e1til. Antes de la versi\u00f3n 0.1.21, XGrammar presentaba un problema de recursi\u00f3n infinita en la gram\u00e1tica. Este problema se ha resuelto en la versi\u00f3n 0.1.21."}], "lastModified": "2025-09-09T18:57:43.563", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mlc-ai:xgrammar:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "486B9E92-AB98-4471-916F-6649AE83464D", "versionEndExcluding": "0.1.21"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}