CVE-2025-57809

HIGHNVD 7.57.5—Trending — 4 sources updated this week

7.5

XGrammar is an open-source library for efficient, flexible, and portable structured generation. Prior to version 0.1.21, XGrammar has an infinite recursion issue in the grammar. This issue has been resolved in version 0.1.21.

CVSS v3: 7.5
EG Score: 7.5(medium)
EPSS: 15.4%
KEV: Not listed

Published

August 25, 2025

Last Modified

September 9, 2025

References (3)

security-advisories@githubhttps://github.com/mlc-ai/xgrammar/commit/b943feacb5a1caf4d39de8ec3bf7c7ce066dcee5
security-advisories@githubhttps://github.com/mlc-ai/xgrammar/issues/250
security-advisories@githubhttps://github.com/mlc-ai/xgrammar/security/advisories/GHSA-5cmr-4px5-23pc

Patch Availability(10)

Vendor / Ecosystem	Fixed in / Patch	Released	Source
redhat	rhelai1/bootc-gcp-nvidia-rhel9:sha256:a83229f005c78e271c774f3eda26421fedbc4b8cf1ac3fe94234899c6d677124	2025-11-03	redhat
redhat	rhelai1/bootc-amd-rhel9:sha256:c029b66a3354ee6fd186a1f05aff31b5834e611b9d5b326b65b16829d6b98d1f	2025-11-03	redhat
redhat	rhelai1/bootc-nvidia-rhel9:sha256:dd412fc0dde3dee492839c28f8ed003bb17fe5fe1be375031b24c84bb36fb8cd	2025-11-03	redhat
redhat	rhelai1/bootc-aws-nvidia-rhel9:sha256:385028a96717418982de197f8f0a9052edf12f80a50bd8ab53ca72203a4ba5d8	2025-11-03	redhat
redhat	rhelai1/bootc-azure-nvidia-rhel9:sha256:427596ae2591a30a0218b7cfdd858ccad96178ddc2618cdf0a6e4e9af36685bf	2025-11-03	redhat
redhat	rhelai1/instructlab-nvidia-rhel9:sha256:a7e2df4276aaba0d23430c7c3314e05b005fe5628d588bc1f4f979a35571fa5c	2025-11-03	redhat
redhat	rhelai1/instructlab-amd-rhel9:sha256:03f22e965af16fe84aed7d30e7b8db00dead11d9fd4b11e3c9abb2e68dd910f1	2025-11-03	redhat
redhat	rhelai1/instructlab-intel-rhel9:sha256:cf0ec4ad1520ff2ce83420846830286e036f310f880cf8a533f0966c35ebd32f	2025-11-03	redhat
redhat	rhelai1/bootc-intel-rhel9:sha256:601064840ac29ea7d4a977efb506df226a2931d5079ec9f432bdf60095bf7c2e	2025-11-03	redhat
redhat	rhelai1/bootc-azure-amd-rhel9:sha256:f77167ea53b46b91631679ed84aab2373ff56dc62cba946296be212443bc2a99	2025-11-03	redhat

Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.

Affected Packages

(1 across 1 ecosystem)

PyPI(1)

Package	Vulnerable range	Fixed in	Dependents
xgrammar	0.1.0 ... 0.1.9 (23 versions)	0.1.21	—

Weakness Classification(1)

MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.

CWE-674Uncontrolled Recursion

All Vendor Advisories

(10)

Every vendor that published an advisory referencing this CVE — pulled from our cve_vendor_advisories aggregation. Click any row for the vendor's original advisory page.

Data Freshness Timeline

(refreshed 10× in last 7d / 10× in last 30d)

Every time one of our enrichment pipelines (NVD, MITRE cvelistV5, EPSS, CISA KEV, GHSA, OSV, vendor advisories) ran against this CVE. Most recent first.

2026-06-01 13:51 UTCepss_batch
2026-06-01 13:51 UTCepss_batch
2026-05-31 22:30 UTCepss_batch
2026-05-31 22:30 UTCepss_batch
2026-05-31 00:16 UTCepss_batch
2026-05-31 00:16 UTCepss_batch
2026-05-29 23:53 UTCEG score recompute
2026-05-29 23:53 UTCVendor advisory
2026-05-29 19:20 UTCOSV refresh
2026-05-29 13:44 UTCepss_batch

Frequently asked(5)

What is CVE-2025-57809?

CVE-2025-57809 is a high vulnerability published on August 25, 2025. XGrammar is an open-source library for efficient, flexible, and portable structured generation. Prior to version 0.1.21, XGrammar has an infinite recursion issue in the grammar. This issue has been resolved in version 0.1.21.

When was CVE-2025-57809 disclosed?

CVE-2025-57809 was first published in the National Vulnerability Database on August 25, 2025, with the most recent update on September 9, 2025. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.

Is CVE-2025-57809 actively exploited?

CVE-2025-57809 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 15.4% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.

What is the CVSS score of CVE-2025-57809?

CVE-2025-57809 has a CVSS v3 base score of 7.5 (NVD).

How do I remediate CVE-2025-57809?

Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2025-57809, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2025-57809

Explore →

Is Your Infrastructure Affected by CVE-2025-57809?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.

Start Free Scan →Browse All CVEs

CVE-2025-57809

Published

Last Modified

References (3)

Patch Availability(10)

Affected Packages

Weakness Classification(1)

All Vendor Advisories

Data Freshness Timeline

Frequently asked(5)

Dependency Blast Radius

Is Your Infrastructure Affected by CVE-2025-57809?

Same vendor

Same CWE

CVE-2025-57809

📅 Published

🔄 Last Modified

🔗 References (3)

Patch Availability(10)

Affected Packages

Weakness Classification(1)

All Vendor Advisories

Data Freshness Timeline

❓ Frequently asked(5)

Dependency Blast Radius

Is Your Infrastructure Affected by CVE-2025-57809?

🔗 Related CVEs(same vendor + same CWE)

Same vendor

Same CWE

Published

Last Modified

References (3)

Frequently asked(5)

Related CVEs(same vendor + same CWE)