Critical Vulnerability Information Vulnerability Title Denial of service by huge enum grammar Severity Moderate CVE ID CVE-2025-5846 Affected Versions Affected versions: 0.1.23 Patched Versions Patched versions: 0.1.24 Vulnerability Description Summary: The provided grammar works fine within the context window of most models, but in version 0.1.23 it takes several minutes to process. Testing shows that version 0.1.16 works correctly, indicating this is likely a regression introduced by the Earley parser. Details: A full reproduction provider is included in the PoC section. The generated grammar contains approximately 70k tokens, and parsing the grammar itself (as observed with the models I tested) takes significantly longer than the LLM processing itself. This makes it feasible to use this for launching a Denial of Service (DoS) attack against model providers. Patch: The issue was caused by a grammar optimizer introduced in v0.1.23 that is too slow. It only affects very large grammars (>100k characters), such as the one shown below. Version 0.1.24 resolves this by optimizing the grammar optimizer’s speed and disabling slow optimizations for large grammars. PoC Code Impact DoS