CVE-2026-24779

Name of the Vulnerable Software and Affected Versions vLLM versions prior to 0.14.1

Description A Server-Side Request Forgery (SSRF) issue exists in the MediaConnector class within vLLM's multimodal feature set. The load from url and load from url async methods process URLs provided by users to obtain media, utilizing different Python parsing libraries for host restriction. These libraries interpret backslashes differently, enabling bypass of the hostname restriction. This allows an attacker to make the vLLM server send arbitrary requests to internal network resources. The issue is particularly critical in containerized environments like llm-d, where a compromised vLLM pod could scan the internal network, interact with other pods, and potentially cause denial of service or access sensitive data. For example, an attacker could send malicious requests to an internal llm-d management endpoint, leading to system instability by falsely reporting metrics like the KV cache state. The core of the issue lies in the MediaConnector.load from url method and its asynchronous counterpart, which accept a URL string to fetch media content. The URL validation uses the urlparse function, while the request is made using the requests function. These two parsing functions follow different URL specifications, leading to the bypass.

Recommendations Update to version 0.14.1 or later.