Server-side Request Forgery (SSRF) Affecting vllm package, versions [0.5.0,0.11.0)
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Server-side Request Forgery (SSRF) vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-PYTHON-VLLM-13450628
- published8 Oct 2025
- disclosed7 Oct 2025
- creditKEXNA
Introduced: 7 Oct 2025
NewCVE-2025-6242 (opens in a new tab)How to fix?
Upgrade vllm to version 0.11.0 or higher.
Overview
vllm is an A high-throughput and memory-efficient inference and serving engine for LLMs
Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the load_from_url and load_from_url_async methods of the MediaConnector class, which fetch and process media from user-supplied URLs without sufficient restrictions on target hosts. An attacker can coerce the vLLM server into making arbitrary requests to internal network resources.
Note:
This vulnerability is particularly critical in containerized environments like llm-d, where a compromised vLLM pod could be used to scan the internal network, interact with other pods, and potentially cause denial of service or access sensitive data.
##Workaround
To address this vulnerability, it is essential to restrict the URLs that the MediaConnector can access. The principle of least privilege should be applied.
It is recommend to implement a configurable allowlist or denylist for domains and IP addresses.
Allowlist: The most secure approach is to allow connections only to a predefined list of trusted domains. This could be configured via a command-line argument, such as
--allowed-media-domains. By default, this list could be empty, forcing administrators to explicitly enable external media fetching.Denylist: Alternatively, a denylist could block access to private IP address ranges (
127.0.0.1,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16) and other sensitive domains.
A check should be added at the beginning of the load_from_url methods to validate the parsed hostname against this list before any connection is made.