CVE-2025-6242: vLLM is vulnerable to Server-Side Request Forgery (SSRF) through `MediaConnector` class
A Server-Side Request Forgery (SSRF) vulnerability exists in the MediaConnector class within the vLLM project’s multimodal feature set. The load_from_url and load_from_url_async methods fetch and process media from user-provided URLs without adequate restrictions on the target hosts. This allows an attacker to coerce the vLLM server into making arbitrary requests to internal network resources.
This vulnerability is particularly critical in containerized environments like llm-d, where a compromised vLLM pod could be used to scan the internal network, interact with other pods, and potentially cause denial of service or access sensitive data. For example, an attacker could make the vLLM pod send malicious requests to an internal llm-d management endpoint, leading to system instability by falsely reporting metrics like the KV cache state.
References
- access.redhat.com/security/cve/CVE-2025-6242
- bugzilla.redhat.com/show_bug.cgi?id=2373716
- github.com/advisories/GHSA-3f6c-7fw2-ppm4
- github.com/vllm-project/vllm
- github.com/vllm-project/vllm/commit/9d9a2b77f19f68262d5e469c4e82c0f6365ad72d
- github.com/vllm-project/vllm/security/advisories/GHSA-3f6c-7fw2-ppm4
- nvd.nist.gov/vuln/detail/CVE-2025-6242
Code Behaviors & Features
Detect and mitigate CVE-2025-6242 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →