CVE-2025-58446 Overview
CVE-2025-58446 is a Denial of Service (DoS) vulnerability in xgrammar, an open-source library for efficient, flexible, and portable structured generation. The vulnerability exists in a grammar optimizer introduced in version 0.1.23, which processes large grammars (exceeding 100,000 characters) at extremely low rates. This performance degradation can be exploited to cause a denial of service against model providers that rely on xgrammar for structured output generation.
Critical Impact
Attackers can exploit the inefficient grammar processing to exhaust server resources, causing service disruption for AI/ML model providers using xgrammar for structured generation tasks.
Affected Products
- mlc-ai xgrammar version 0.1.23
Discovery Timeline
- September 6, 2025 - CVE-2025-58446 published to NVD
- September 18, 2025 - Last updated in NVD database
Technical Details for CVE-2025-58446
Vulnerability Analysis
This vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The grammar optimizer component introduced in xgrammar version 0.1.23 lacks proper resource management when handling exceptionally large grammars. When processing grammar definitions exceeding 100,000 characters, the optimizer's performance degrades significantly, operating at very low processing rates that can consume disproportionate computational resources.
The vulnerability is particularly concerning for model providers and AI/ML inference services that accept user-provided grammar specifications for structured output generation. Since xgrammar is designed to be efficient and portable for structured generation tasks, the introduction of this performance regression creates an asymmetric attack opportunity where minimal attacker effort can cause substantial service degradation.
Root Cause
The root cause stems from the grammar optimizer's algorithmic implementation that was introduced in version 0.1.23. The optimizer lacks appropriate bounds checking or complexity limits when processing grammar definitions. When confronted with grammars exceeding 100,000 characters, the processing algorithm operates at extremely low rates, failing to scale appropriately with input size. This absence of resource allocation limits allows an attacker to craft malicious grammar inputs that trigger excessive resource consumption.
Attack Vector
The attack vector is network-based, requiring no authentication or user interaction. An attacker can exploit this vulnerability by submitting specially crafted large grammar definitions (exceeding 100,000 characters) to services utilizing xgrammar for structured generation. The attack follows these general steps:
- The attacker identifies a service endpoint that accepts grammar specifications for xgrammar processing
- The attacker constructs a grammar definition exceeding 100,000 characters
- The malicious grammar is submitted to the target service
- The grammar optimizer processes the input at very low rates, consuming server resources
- Repeated requests amplify the effect, potentially causing service degradation or unavailability
For technical details regarding the vulnerability mechanism and the fix implementation, refer to the GitHub Security Advisory and the associated commit.
Detection Methods for CVE-2025-58446
Indicators of Compromise
- Unusually large grammar specification requests (exceeding 100,000 characters) in application logs
- Abnormal CPU utilization spikes correlated with grammar processing operations
- Increased response times or timeouts for structured generation endpoints
- Memory consumption anomalies in services utilizing xgrammar
Detection Strategies
- Implement request payload size monitoring to identify grammar submissions exceeding expected thresholds
- Deploy application performance monitoring (APM) to track grammar processing duration and flag operations exceeding normal baselines
- Configure alerting for CPU and memory utilization spikes in services using xgrammar components
Monitoring Recommendations
- Enable detailed logging for all grammar processing operations including input size metrics
- Establish baseline performance metrics for grammar processing and alert on significant deviations
- Monitor network traffic patterns for repeated large payload submissions to structured generation endpoints
How to Mitigate CVE-2025-58446
Immediate Actions Required
- Upgrade xgrammar to version 0.1.24 or later immediately
- Audit systems to identify all instances of xgrammar version 0.1.23
- Implement input validation to reject grammar definitions exceeding reasonable size thresholds
- Consider rate limiting on endpoints that accept grammar specifications
Patch Information
The vulnerability has been fixed in xgrammar version 0.1.24. The fix is available via the GitHub commit. Organizations should update their xgrammar dependency to version 0.1.24 or later to remediate this vulnerability. The GitHub Security Advisory GHSA-9q5r-wfvf-rr7f provides additional details regarding the fix.
Workarounds
- Implement input size validation to reject grammar definitions exceeding 100,000 characters before they reach the xgrammar optimizer
- Deploy request rate limiting on grammar processing endpoints to mitigate the impact of repeated malicious requests
- Configure resource quotas (CPU/memory limits) for processes handling grammar optimization to prevent complete service exhaustion
# Example: Update xgrammar using pip
pip install --upgrade xgrammar>=0.1.24
# Verify installed version
pip show xgrammar | grep Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
