CVE-2026-25960
SSRF Bypass in vLLM load_from_url_async Causes Remote Requests
Publication date: 2026-03-09
Last updated on: 2026-03-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vllm | vllm | From 0.15.1 (inc) to 0.17.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-25960 is a Server-Side Request Forgery (SSRF) vulnerability in the vLLM project caused by inconsistent URL parsing between two libraries used in the system: urllib3 and aiohttp/yarl.'}, {'type': 'paragraph', 'content': "The vulnerability arises because the SSRF protection validates URLs using urllib3's parse_url(), while the actual HTTP requests are made using aiohttp, which uses the yarl library for URL parsing. These two libraries interpret backslash characters before the '@' symbol differently, allowing attackers to craft URLs that bypass domain allowlist checks."}, {'type': 'paragraph', 'content': 'Specifically, urllib3 treats the backslash as part of the path (encoding it as %5C), while aiohttp/yarl interprets it as a userinfo separator, changing the effective host extracted from the URL. This discrepancy enables attackers to bypass SSRF protections by making the system send requests to unintended hosts.'}, {'type': 'paragraph', 'content': 'The fix normalizes URLs using urllib3 before passing them to aiohttp, ensuring consistent URL parsing and preventing SSRF bypasses caused by backslash-@ sequences.'}] [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to bypass SSRF protections and coerce the vLLM server into making arbitrary HTTP requests to internal or attacker-controlled hosts.
Such unauthorized requests can lead to exposure of sensitive internal network resources, unauthorized access to internal services, or interaction with other pods in containerized environments.
In containerized setups like llm-d, a compromised vLLM pod could scan internal networks, cause denial of service, or send malicious requests to internal management endpoints, potentially destabilizing the system or leaking sensitive data.
The vulnerability has a high severity score (CVSS 7.1) indicating it is exploitable over the network with low complexity and low privileges required, making it a significant risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this SSRF vulnerability involves identifying attempts to exploit inconsistent URL parsing between urllib3 and aiohttp/yarl libraries, particularly URLs containing backslash-@ (\\@) sequences that bypass domain allowlist checks.'}, {'type': 'paragraph', 'content': 'One approach is to monitor HTTP requests made by the vLLM service for suspicious URL patterns such as those containing backslash characters before the @ symbol, for example: http://127.0.0.1:<port>\\@example.com/<asset> or https://example.com\\@safe.example.org/image.png.'}, {'type': 'paragraph', 'content': 'Network or application logs can be searched for such URL patterns to detect potential exploitation attempts.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is in the load_from_url_async method of vLLM, commands to detect suspicious requests might include grepping logs or network captures for URLs with backslash-@ sequences.'}, {'type': 'list_item', 'content': "grep -r '\\\\@' /path/to/vllm/logs"}, {'type': 'list_item', 'content': "tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep '\\\\@'"}, {'type': 'list_item', 'content': 'Use application-level logging or debugging to capture URLs passed to load_from_url_async and check for inconsistent or suspicious URL formats.'}, {'type': 'paragraph', 'content': "Additionally, testing with crafted URLs as described in the fix's test cases can help confirm if the system is vulnerable by observing if such URLs are accepted or rejected."}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary mitigation is to upgrade the vLLM package to version 0.17.0 or later, where the vulnerability has been fixed by normalizing URLs using urllib3 before passing them to aiohttp, ensuring consistent URL parsing and preventing SSRF bypass.'}, {'type': 'paragraph', 'content': 'If immediate upgrade is not possible, consider implementing strict input validation and sanitization on URLs before they are processed by vLLM, specifically rejecting URLs containing backslash characters before the @ symbol.'}, {'type': 'paragraph', 'content': "Review and enforce domain allowlists carefully, ensuring that URL parsing and validation are consistent with the HTTP client library's behavior."}, {'type': 'paragraph', 'content': 'Monitor logs for suspicious URL patterns and block or alert on requests that attempt to exploit the parsing inconsistency.'}, {'type': 'paragraph', 'content': "Apply network-level restrictions to limit vLLM's ability to make HTTP requests to only trusted domains and IP ranges."}] [1, 2]