Description
LMDeploy is a toolkit for compressing, deploying, and serving large language models. Versions prior to 0.12.3 have a Server-Side Request Forgery (SSRF) vulnerability in LMDeploy's vision-language module. The `load_image()` function in `lmdeploy/vl/utils.py` fetches arbitrary URLs without validating internal/private IP addresses, allowing attackers to access cloud metadata services, internal networks, and sensitive resources. Version 0.12.3 patches the issue.
Published: 2026-04-20
Score: 7.5 High
EPSS: 2.9% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

LMDeploy’s vision‑language module contains an SSRF flaw in the load_image() function. The function fetches URLs supplied by users without validating that they target public or safe addresses, permitting an attacker to retrieve arbitrary data from internal or private networks, including cloud metadata services. The vulnerability corresponds to CWE‑918 and could enable attackers to exfiltrate sensitive information or gain additional footholds within a protected environment.

Affected Systems

The flaw affects InternLM’s LMDeploy, specifically all releases preceding version 0.12.3. The patch begins with release 0.12.3, which removes the unchecked URL fetch from load_image().

Risk and Exploitability

With a CVSS score of 7.5 the flaw is considered high severity. The EPSS score is 3% and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the issue remotely by directing malicious image URLs to LMDeploy. An attacker only needs to supply an unvalidated URL to the load_image routine, which will then resolve and fetch the resource, potentially exposing internal addresses or data. The description does not specify whether authentication is required; it is inferred that the vulnerability might be exploitible without authentication, but this is not confirmed.

Generated by OpenCVE AI on May 2, 2026 at 11:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LMDeploy to version 0.12.3 or later to apply the official fix.
  • Configure network controls to restrict LMDeploy’s outbound traffic, ensuring it cannot access internal or cloud metadata endpoints.
  • If an immediate upgrade is not possible, restrict image URL sources by implementing a whitelist or proxy that blocks untrusted external requests.

Generated by OpenCVE AI on May 2, 2026 at 11:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6w67-hwm5-92mq LMDeploy has Server-Side Request Forgery (SSRF) via Vision-Language Image Loading
History

Thu, 23 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:internlm:lmdeploy:*:*:*:*:*:*:*:*

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Internlm
Internlm lmdeploy
Vendors & Products Internlm
Internlm lmdeploy

Mon, 20 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
Description LMDeploy is a toolkit for compressing, deploying, and serving large language models. Versions prior to 0.12.3 have a Server-Side Request Forgery (SSRF) vulnerability in LMDeploy's vision-language module. The `load_image()` function in `lmdeploy/vl/utils.py` fetches arbitrary URLs without validating internal/private IP addresses, allowing attackers to access cloud metadata services, internal networks, and sensitive resources. Version 0.12.3 patches the issue.
Title LMDeploy Vulnerable to Server-Side Request Forgery (SSRF) via Vision-Language Image Loading
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Internlm Lmdeploy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T19:50:13.326Z

Reserved: 2026-03-23T14:24:11.617Z

Link: CVE-2026-33626

cve-icon Vulnrichment

Updated: 2026-04-21T17:52:24.672Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-20T21:16:35.097

Modified: 2026-04-23T13:39:54.420

Link: CVE-2026-33626

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T11:15:19Z

Weaknesses