{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25960", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-09T17:13:54.066Z", "datePublished": "2026-03-09T21:01:01.827Z", "dateUpdated": "2026-03-10T15:01:18.476Z"}, "containers": {"cna": {"title": "SSRF Protection Bypass in vLLM", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-v359-jj2v-j536", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-v359-jj2v-j536"}, {"name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-qh4c-xf7m-gxfc", "tags": ["x_refsource_MISC"], "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-qh4c-xf7m-gxfc"}, {"name": "https://github.com/vllm-project/vllm/pull/34743", "tags": ["x_refsource_MISC"], "url": "https://github.com/vllm-project/vllm/pull/34743"}, {"name": "https://github.com/vllm-project/vllm/commit/6f3b2047abd4a748e3db4a68543f8221358002c0", "tags": ["x_refsource_MISC"], "url": "https://github.com/vllm-project/vllm/commit/6f3b2047abd4a748e3db4a68543f8221358002c0"}], "affected": [{"vendor": "vllm-project", "product": "vllm", "versions": [{"version": ">= 0.15.1, < 0.17.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-09T21:01:01.827Z"}, "descriptions": [{"lang": "en", "value": "vLLM is an inference and serving engine for large language models (LLMs). The SSRF protection fix for CVE-2026-24779 add in 0.15.1 can be bypassed in the load_from_url_async method due to inconsistent URL parsing behavior between the validation layer and the actual HTTP client. The SSRF fix uses urllib3.util.parse_url() to validate and extract the hostname from user-provided URLs. However, load_from_url_async uses aiohttp for making the actual HTTP requests, and aiohttp internally uses the yarl library for URL parsing. This vulnerability in 0.17.0."}], "source": {"advisory": "GHSA-v359-jj2v-j536", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T15:01:11.202728Z", "id": "CVE-2026-25960", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T15:01:18.476Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25960", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T15:01:11.202728Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T15:01:15.560Z"}}], "cna": {"title": "SSRF Protection Bypass in vLLM", "source": {"advisory": "GHSA-v359-jj2v-j536", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "vllm-project", "product": "vllm", "versions": [{"status": "affected", "version": ">= 0.15.1, < 0.17.0"}]}], "references": [{"url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-v359-jj2v-j536", "name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-v359-jj2v-j536", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-qh4c-xf7m-gxfc", "name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-qh4c-xf7m-gxfc", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/vllm-project/vllm/pull/34743", "name": "https://github.com/vllm-project/vllm/pull/34743", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/vllm-project/vllm/commit/6f3b2047abd4a748e3db4a68543f8221358002c0", "name": "https://github.com/vllm-project/vllm/commit/6f3b2047abd4a748e3db4a68543f8221358002c0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "vLLM is an inference and serving engine for large language models (LLMs). The SSRF protection fix for CVE-2026-24779 add in 0.15.1 can be bypassed in the load_from_url_async method due to inconsistent URL parsing behavior between the validation layer and the actual HTTP client. The SSRF fix uses urllib3.util.parse_url() to validate and extract the hostname from user-provided URLs. However, load_from_url_async uses aiohttp for making the actual HTTP requests, and aiohttp internally uses the yarl library for URL parsing. This vulnerability in 0.17.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-09T21:01:01.827Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25960", "state": "PUBLISHED", "dateUpdated": "2026-03-10T15:01:18.476Z", "dateReserved": "2026-02-09T17:13:54.066Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-09T21:01:01.827Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vllm:vllm:*:*:*:*:*:*:*:*", "matchCriteriaId": "5A72A44F-F5E3-44C0-AB4B-A0B5B6797EFA", "versionEndExcluding": "0.17.0", "versionStartIncluding": "0.15.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "vLLM is an inference and serving engine for large language models (LLMs). The SSRF protection fix for CVE-2026-24779 add in 0.15.1 can be bypassed in the load_from_url_async method due to inconsistent URL parsing behavior between the validation layer and the actual HTTP client. The SSRF fix uses urllib3.util.parse_url() to validate and extract the hostname from user-provided URLs. However, load_from_url_async uses aiohttp for making the actual HTTP requests, and aiohttp internally uses the yarl library for URL parsing. This vulnerability in 0.17.0."}, {"lang": "es", "value": "vLLM es un motor de inferencia y servicio para modelos de lenguaje grandes (LLMs). La correcci\u00f3n de protecci\u00f3n contra SSRF para CVE-2026-24779 a\u00f1adida en 0.15.1 puede ser eludida en el m\u00e9todo load_from_url_async debido a un comportamiento inconsistente de an\u00e1lisis de URL entre la capa de validaci\u00f3n y el cliente HTTP real. La correcci\u00f3n de SSRF utiliza urllib3.util.parse_url() para validar y extraer el nombre de host de las URL proporcionadas por el usuario. Sin embargo, load_from_url_async utiliza aiohttp para realizar las solicitudes HTTP reales, y aiohttp utiliza internamente la biblioteca yarl para el an\u00e1lisis de URL. Esta vulnerabilidad en 0.17.0."}], "id": "CVE-2026-25960", "lastModified": "2026-03-18T18:36:10.323", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-09T21:16:15.537", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/vllm-project/vllm/commit/6f3b2047abd4a748e3db4a68543f8221358002c0"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/vllm-project/vllm/pull/34743"}, {"source": "security-advisories@github.com", "tags": ["Not Applicable"], "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-qh4c-xf7m-gxfc"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-v359-jj2v-j536"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "vLLM: vLLM: Server-Side Request Forgery bypass via inconsistent URL parsing", "id": "2445892", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445892"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L", "status": "draft"}, "cwe": "CWE-474", "details": ["A flaw was found in vLLM, an inference and serving engine for large language models (LLMs). A remote attacker can exploit this Server-Side Request Forgery (SSRF) bypass vulnerability in the `load_from_url_async` method. The flaw occurs because the URL validation and the actual HTTP request handling use different parsing libraries, leading to inconsistencies. This allows an attacker to bypass existing SSRF protections, potentially leading to the disclosure of sensitive information from internal network resources."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-25960", "package_state": [{"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Affected", "package_name": "rhaiis-preview/vllm-cuda-rhel9", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Affected", "package_name": "rhaiis/vllm-cuda-rhel9", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Affected", "package_name": "rhaiis/vllm-rocm-rhel9", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Affected", "package_name": "rhaiis/vllm-spyre-rhel9", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Affected", "package_name": "rhaiis/vllm-tpu-rhel9", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/bootc-aws-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/bootc-azure-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/bootc-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/bootc-gcp-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Out of support scope", "package_name": "rhoai/odh-kserve-agent-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-kserve-controller-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Out of support scope", "package_name": "rhoai/odh-kserve-router-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Out of support scope", "package_name": "rhoai/odh-kserve-storage-initializer-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Out of support scope", "package_name": "rhoai/odh-vllm-cpu-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-vllm-cuda-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Out of support scope", "package_name": "rhoai/odh-vllm-gaudi-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-vllm-rocm-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}], "public_date": "2026-03-09T21:01:01Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-25960\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-25960\nhttps://github.com/vllm-project/vllm/commit/6f3b2047abd4a748e3db4a68543f8221358002c0\nhttps://github.com/vllm-project/vllm/pull/34743\nhttps://github.com/vllm-project/vllm/security/advisories/GHSA-qh4c-xf7m-gxfc\nhttps://github.com/vllm-project/vllm/security/advisories/GHSA-v359-jj2v-j536"], "statement": "This is an IMPORTANT vulnerability. The vLLM component, as used in Red Hat AI Inference Server and Red Hat OpenShift AI, is affected by a Server-Side Request Forgery (SSRF) protection bypass. This flaw allows an attacker to circumvent existing SSRF safeguards due to inconsistent URL parsing between the validation layer and the underlying HTTP client when the `load_from_url_async` method is utilized.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.15.1,0.17.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "vllm", "source": "cna", "vendor": "vllm-project"}, "product": "vllm", "vendor": "vllm-project"}], "analysis": {"en": {"generated_at": "2026-04-16T10:12:03.948887+00:00", "value": {"mitigation_remediation": ["Upgrade vLLM to the newest release that addresses the SSRF bypass (for example, 0.18 or later).", "If an upgrade is not feasible, remove or disable use of the load_from_url_async function so that no external URLs are fetched.", "When the function must remain available, implement a manual check by passing URLs through urllib3.util.parse_url before invoking load_from_url_async, ensuring that the hostname extraction logic is consistent and only trusted domains are allowed."], "summary": {"action": "Immediate Patch", "impact": "Server\u2011Side Request Forgery (SSRF) that enables arbitrary URL access"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the vLLM inference engine from the vllm\u2011project, specifically releases that include the load_from_url_async method. Current evidence indicates impact for v0.17.0, and versions earlier than v0.15.1 that lack the SSRF fix are inherently vulnerable as they do not contain protective logic.", "description_and_impact": "vLLM incorporates a method, load_from_url_async, that fetches user\u2011supplied URLs for model weight loading. The SSRF protection introduced in v0.15.1 relies on urllib3\u2019s URL parser to validate hostnames, but load_from_url_async internally uses aiohttp, which parses URLs with yarl. The mismatch in hostname extraction allows an attacker to craft a URL that appears safe to the validator yet resolves to any target, including internal network services. This bypass can lead to unauthorized read or possible interaction with sensitive internal endpoints, violating confidentiality and potentially allowing further exploitation if those internal services are vulnerable.", "risk_and_exploitability": "The Common Vulnerability Scoring System assigns a 7.1 score, indicating a high risk level. The Exploit Prediction Scoring System shows a probability of less than 1\u202f%, and the vulnerability is not listed in CISA\u2019s Known Exploited Vulnerabilities catalog. Attackers would exploit the flaw by sending crafted payloads to any exposed vLLM API endpoint that accepts load_from_url_async calls. If the application is reachable from untrusted networks, the risk escalates, whereas internal exposure mitigates the attack surface."}}}}, "created": "2026-03-10T14:07:02.616655+00:00", "updated": "2026-04-16T10:15:26.113299+00:00", "vendors": ["vllm-project", "vllm-project$PRODUCT$vllm"]}