Leishilong

**Name of the Vulnerable Software and Affected Versions** vLLM versions prior to 0.14.1 **Description** A Server-Side Request Forgery (SSRF) exists in the `MediaConnector` class within the multimodal feature set. The `load from url()` and `load from url async()` functions process media from user-provided URLs using different Python parsing libraries to restrict the target host. Because these libraries interpret backslashes differently, the host name restriction can be bypassed, allowing an attacker to force the server to make arbitrary requests to internal network resources. In containerized environments like `llm-d`, this could be used to scan internal networks, interact with other pods, access sensitive data, or cause denial of service. For instance, malicious requests to an internal `llm-d` management endpoint could lead to system instability by reporting false metrics such as the KV cache state. **Recommendations** Update to version 0.14.1. As a temporary workaround, restrict access to the `MediaConnector` class or the `load from url()` and `load from url async()` functions until the update is applied.