CVE-2026-25960

Name of the Vulnerable Software and Affected Versions vLLM versions prior to 0.15.1 vLLM version 0.17.0

Description vLLM is an inference and serving engine for large language models (LLMs). A Server-Side Request Forgery (SSRF) protection mechanism implemented in version 0.15.1 can be bypassed in the load from url async method. This bypass occurs due to inconsistent URL parsing behavior between the validation layer and the actual HTTP client. The validation layer uses urllib3.util.parse url() while the HTTP client uses aiohttp with the yarl library for URL parsing. These parsers handle backslash characters (``) differently, allowing an attacker to bypass the hostname allowlist check and potentially access arbitrary internal or external services, resulting in a full SSRF attack. The vulnerable component is located in the vllm/connections.py file, specifically within the load from url async function. The attack scenario involves providing a malicious URL such as https://httpbin.org@evil.com/.

Recommendations Versions prior to 0.15.1: Update to version 0.15.1 or later. Version 0.17.0: Update to a newer version that addresses the inconsistent URL parsing behavior.