Description
vLLM is an inference and serving engine for large language models (LLMs). The SSRF protection fix for CVE-2026-24779 add in 0.15.1 can be bypassed in the load_from_url_async method due to inconsistent URL parsing behavior between the validation layer and the actual HTTP client. The SSRF fix uses urllib3.util.parse_url() to validate and extract the hostname from user-provided URLs. However, load_from_url_async uses aiohttp for making the actual HTTP requests, and aiohttp internally uses the yarl library for URL parsing. This vulnerability in 0.17.0.
Published: 2026-03-09
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery (SSRF) that enables arbitrary URL access
Action: Immediate Patch
AI Analysis

Impact

vLLM incorporates a method, load_from_url_async, that fetches user‑supplied URLs for model weight loading. The SSRF protection introduced in v0.15.1 relies on urllib3’s URL parser to validate hostnames, but load_from_url_async internally uses aiohttp, which parses URLs with yarl. The mismatch in hostname extraction allows an attacker to craft a URL that appears safe to the validator yet resolves to any target, including internal network services. This bypass can lead to unauthorized read or possible interaction with sensitive internal endpoints, violating confidentiality and potentially allowing further exploitation if those internal services are vulnerable.

Affected Systems

The vulnerability affects the vLLM inference engine from the vllm‑project, specifically releases that include the load_from_url_async method. Current evidence indicates impact for v0.17.0, and versions earlier than v0.15.1 that lack the SSRF fix are inherently vulnerable as they do not contain protective logic.

Risk and Exploitability

The Common Vulnerability Scoring System assigns a 7.1 score, indicating a high risk level. The Exploit Prediction Scoring System shows a probability of less than 1 %, and the vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. Attackers would exploit the flaw by sending crafted payloads to any exposed vLLM API endpoint that accepts load_from_url_async calls. If the application is reachable from untrusted networks, the risk escalates, whereas internal exposure mitigates the attack surface.

Generated by OpenCVE AI on April 16, 2026 at 10:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade vLLM to the newest release that addresses the SSRF bypass (for example, 0.18 or later).
  • If an upgrade is not feasible, remove or disable use of the load_from_url_async function so that no external URLs are fetched.
  • When the function must remain available, implement a manual check by passing URLs through urllib3.util.parse_url before invoking load_from_url_async, ensuring that the hostname extraction logic is consistent and only trusted domains are allowed.

Generated by OpenCVE AI on April 16, 2026 at 10:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v359-jj2v-j536 vLLM has SSRF Protection Bypass
History

Wed, 18 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Vllm
Vllm vllm
CPEs cpe:2.3:a:vllm:vllm:*:*:*:*:*:*:*:*
Vendors & Products Vllm
Vllm vllm

Wed, 11 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-474
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 10 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Vllm-project
Vllm-project vllm
Vendors & Products Vllm-project
Vllm-project vllm

Mon, 09 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Description vLLM is an inference and serving engine for large language models (LLMs). The SSRF protection fix for CVE-2026-24779 add in 0.15.1 can be bypassed in the load_from_url_async method due to inconsistent URL parsing behavior between the validation layer and the actual HTTP client. The SSRF fix uses urllib3.util.parse_url() to validate and extract the hostname from user-provided URLs. However, load_from_url_async uses aiohttp for making the actual HTTP requests, and aiohttp internally uses the yarl library for URL parsing. This vulnerability in 0.17.0.
Title SSRF Protection Bypass in vLLM
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L'}

Subscriptions

Vllm Vllm
Vllm-project Vllm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T15:01:18.476Z

Reserved: 2026-02-09T17:13:54.066Z

Link: CVE-2026-25960

cve-icon Vulnrichment

Updated: 2026-03-10T15:01:15.560Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-09T21:16:15.537

Modified: 2026-03-18T18:36:10.323

Link: CVE-2026-25960

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-09T21:01:01Z

Links: CVE-2026-25960 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T10:15:26Z

Weaknesses