FKIE_CVE-2026-24779

Vulnerability from fkie_nvd - Published: 2026-01-27 22:15 - Updated: 2026-01-30 14:41
Severity ?
7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
Summary
vLLM is an inference and serving engine for large language models (LLMs). Prior to version 0.14.1, a Server-Side Request Forgery (SSRF) vulnerability exists in the `MediaConnector` class within the vLLM project's multimodal feature set. The load_from_url and load_from_url_async methods obtain and process media from URLs provided by users, using different Python parsing libraries when restricting the target host. These two parsing libraries have different interpretations of backslashes, which allows the host name restriction to be bypassed. This allows an attacker to coerce the vLLM server into making arbitrary requests to internal network resources. This vulnerability is particularly critical in containerized environments like `llm-d`, where a compromised vLLM pod could be used to scan the internal network, interact with other pods, and potentially cause denial of service or access sensitive data. For example, an attacker could make the vLLM pod send malicious requests to an internal `llm-d` management endpoint, leading to system instability by falsely reporting metrics like the KV cache state. Version 0.14.1 contains a patch for the issue.
References
security-advisories@github.comhttps://github.com/vllm-project/vllm/commit/f46d576c54fb8aeec5fc70560e850bed38ef17d7Patch
security-advisories@github.comhttps://github.com/vllm-project/vllm/pull/32746Issue Tracking, Patch
security-advisories@github.comhttps://github.com/vllm-project/vllm/security/advisories/GHSA-qh4c-xf7m-gxfcExploit, Patch, Vendor Advisory
Impacted products
Vendor Product Version
vllm vllm *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:vllm:vllm:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CCFA39AA-12B5-495B-8184-4B4136B710F1",
              "versionEndExcluding": "0.14.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "vLLM is an inference and serving engine for large language models (LLMs). Prior to version 0.14.1, a Server-Side Request Forgery (SSRF) vulnerability exists in the `MediaConnector` class within the vLLM project\u0027s multimodal feature set. The load_from_url and load_from_url_async methods obtain and process media from URLs provided by users, using different Python parsing libraries when restricting the target host. These two parsing libraries have different interpretations of backslashes, which allows the host name restriction to be bypassed. This allows an attacker to coerce the vLLM server into making arbitrary requests to internal network resources. This vulnerability is particularly critical in containerized environments like `llm-d`, where a compromised vLLM pod could be used to scan the internal network, interact with other pods, and potentially cause denial of service or access sensitive data. For example, an attacker could make the vLLM pod send malicious requests to an internal `llm-d` management endpoint, leading to system instability by falsely reporting metrics like the KV cache state. Version 0.14.1 contains a patch for the issue."
    },
    {
      "lang": "es",
      "value": "vLLM es un motor de inferencia y servicio para modelos de lenguaje grandes (LLM). Antes de la versi\u00f3n 0.14.1, existe una vulnerabilidad de falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) en la clase \u0027MediaConnector\u0027 dentro del conjunto de caracter\u00edsticas multimodales del proyecto vLLM. Los m\u00e9todos load_from_url y load_from_url_async obtienen y procesan medios de URLs proporcionadas por los usuarios, utilizando diferentes librer\u00edas de an\u00e1lisis de Python al restringir el host de destino. Estas dos librer\u00edas de an\u00e1lisis tienen diferentes interpretaciones de las barras invertidas, lo que permite eludir la restricci\u00f3n del nombre de host. Esto permite a un atacante coaccionar al servidor vLLM para que realice peticiones arbitrarias a recursos de red internos. Esta vulnerabilidad es particularmente cr\u00edtica en entornos contenerizados como \u0027llm-d\u0027, donde un pod vLLM comprometido podr\u00eda usarse para escanear la red interna, interactuar con otros pods y potencialmente causar denegaci\u00f3n de servicio o acceder a datos sensibles. Por ejemplo, un atacante podr\u00eda hacer que el pod vLLM env\u00ede peticiones maliciosas a un endpoint de gesti\u00f3n interno de \u0027llm-d\u0027, lo que llevar\u00eda a la inestabilidad del sistema al informar falsamente m\u00e9tricas como el estado de la cach\u00e9 KV. La versi\u00f3n 0.14.1 contiene un parche para el problema."
    }
  ],
  "id": "CVE-2026-24779",
  "lastModified": "2026-01-30T14:41:25.530",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 4.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-27T22:15:57.280",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/vllm-project/vllm/commit/f46d576c54fb8aeec5fc70560e850bed38ef17d7"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/vllm-project/vllm/pull/32746"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-qh4c-xf7m-gxfc"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.