DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-25048: CVE-2026-25048: Stack Exhaustion Denial of Service in xgrammar EBNF Parser

#security #cve #cybersecurity

CVE-2026-25048: Stack Exhaustion Denial of Service in xgrammar EBNF Parser

Vulnerability ID: CVE-2026-25048
CVSS Score: 8.7
Published: 2026-03-05

xgrammar, a library used for structured generation in Large Language Model (LLM) pipelines, contains a critical denial of service vulnerability in its EBNF parser. The issue stems from uncontrolled recursion during the parsing of nested grammar structures. An attacker can supply a crafted grammar string with excessive nesting (e.g., thousands of parentheses), causing the recursive descent parser to consume all available stack memory. This results in a segmentation fault (SIGSEGV) that crashes the host process.

TL;DR

The xgrammar library (< 0.1.32) is vulnerable to a remote Denial of Service via stack exhaustion. By submitting a grammar with deeply nested parentheses, an attacker can trigger infinite recursion in the C++ parsing logic, crashing the application.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-674
  • Vulnerability Type: Stack Exhaustion
  • CVSS v4.0: 8.7 (High)
  • Attack Vector: Network
  • Attack Complexity: Low
  • Impact: Denial of Service

Affected Systems

  • xgrammar < 0.1.32
  • MLC LLM pipelines using custom grammars
  • Structured generation services relying on mlc-ai/xgrammar
  • xgrammar: < 0.1.32 (Fixed in: 0.1.32)

Code Analysis

Commit: 5538654

feat: limit nest layer of ebnf parsing to avoid stack overflow

cpp/grammar_parser.cc
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Update xgrammar to version 0.1.32 or later immediately.
  • Implement input validation on grammar strings to limit length and nesting depth before passing them to the library.
  • Deploy service supervisors to automatically restart crashed worker processes.

Remediation Steps:

  1. Identify all services depending on xgrammar or mlc-ai packages.
  2. Update the dependency in requirements.txt or pyproject.toml: xgrammar>=0.1.32.
  3. Rebuild any container images or environments that bundle the library.
  4. Verify the fix by attempting to compile a grammar with 2,000 nested parentheses; the system should return a Nest layer exceeded error instead of crashing.

References

Read the full report for CVE-2026-25048 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)