Platform
python
Component
vllm
Fixed in
0.11.0
A Server-Side Request Forgery (SSRF) vulnerability has been identified in the vLLM project’s multimodal feature set, specifically within the MediaConnector class. The loadfromurl and loadfromurl_async methods fail to adequately restrict user-provided URLs, allowing attackers to force the vLLM server to make requests to internal network resources. This vulnerability impacts versions of vLLM up to and including 0.9.2 and is resolved in version 0.11.0.
The SSRF vulnerability in vLLM allows an attacker to leverage the server to scan the internal network. By crafting malicious URLs, an attacker can instruct the vLLM server to make requests to internal services and resources that would otherwise be inaccessible. In containerized environments like llm-d, a compromised vLLM pod could be used to enumerate internal services, potentially leading to the discovery of sensitive information or further exploitation opportunities. The blast radius extends to any internal resources accessible from the vLLM server, posing a significant risk to the overall security posture of the environment.
This vulnerability was publicly disclosed on 2025-10-07. There is no indication of this vulnerability being actively exploited at the time of writing. The EPSS score is pending evaluation. Public proof-of-concept code is not currently available, but the SSRF nature of the vulnerability makes it likely that such code will emerge.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-6242 is to upgrade to vLLM version 0.11.0 or later, which includes the necessary fixes to prevent unauthorized URL requests. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) or proxy to filter outbound requests from the vLLM server, blocking requests to internal IP addresses or suspicious domains. Additionally, restrict network access to the vLLM pod to only necessary services. Review and tighten URL validation logic within the MediaConnector class if manual patching is attempted, ensuring that only trusted domains are permitted. After upgrade, confirm functionality by attempting to load media from a variety of trusted URLs.
Update to a version of vLLM that has fixed the SSRF vulnerability in the MediaConnector class. Refer to the release notes and changelog for details on the patched version. Implement validation and sanitization of user-provided URLs to prevent the server from making requests to unauthorized internal resources.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-6242 is a Server-Side Request Forgery (SSRF) vulnerability in vLLM’s multimodal feature, allowing attackers to make unauthorized requests to internal network resources.
You are affected if you are using vLLM versions 0.9.2 or earlier. Upgrade to 0.11.0 to mitigate the risk.
Upgrade to vLLM version 0.11.0 or later. As a temporary workaround, implement a WAF or proxy to filter outbound requests.
There is currently no evidence of active exploitation, but the SSRF nature of the vulnerability suggests potential for future attacks.
Refer to the official vLLM project's security advisories and release notes for details: [https://github.com/vllm-project/vllm/security/advisories](https://github.com/vllm-project/vllm/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.