CVE-2026-25960: CVE-2026-25960: Server-Side Request Forgery (SSRF) Bypass in vLLM MediaConnector via Parser Differential

CVE-2026-25960: Server-Side Request Forgery (SSRF) Bypass in vLLM MediaConnector via Parser Differential

Vulnerability ID: CVE-2026-25960
CVSS Score: 7.1
Published: 2026-03-09

vLLM contains a critical parser differential vulnerability that allows attackers to bypass existing Server-Side Request Forgery (SSRF) protections. By exploiting parsing discrepancies between urllib3 and yarl, attackers can craft specific URLs that pass validation but direct the underlying HTTP client to query internal network services and cloud metadata endpoints.

TL;DR

A URL parser differential between the validation layer and the HTTP client in vLLM allows attackers to bypass SSRF restrictions using the '\@' character sequence, granting unauthorized read access to internal network resources.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-918
• Attack Vector: Network
• CVSS Score: 7.1 (High)
• Impact: High Confidentiality, Low Availability
• Exploit Status: Proof of Concept Available
• Root Cause: Parser Differential (urllib3 vs yarl)

Affected Systems

• vLLM versions >= 0.15.1, < 0.17.0
• vLLM: >= 0.15.1, < 0.17.0 (Fixed in: 0.17.0)

Code Analysis

Commit: 6f3b204

Fix for SSRF bypass in MediaConnector by enforcing use of normalized URL.

Exploit Details

• vLLM Security Test Cases: Proof of concept code demonstrating the bypass logic within the project's own test suite.

Mitigation Strategies

• Upgrade vLLM to version 0.17.0 to apply the URL normalization patch.
• Implement strict network egress filtering on the vLLM container/host to block access to internal networks and cloud metadata IPs (e.g., 169.254.169.254).
• Deploy WAF rules to detect and block requests containing '\@' within media URL parameters.
• Enforce least privilege for the IAM role associated with the vLLM compute instance.

Remediation Steps:

1. Identify all vLLM deployments running versions 0.15.1 through 0.16.x.
2. Update the container image or Python package to vLLM 0.17.0.
3. Restart the vLLM inference engine to ensure the patched application code is loaded into memory.
4. Review application logs for historical instances of backslash-at ('\@') sequences to identify prior exploitation attempts.

References

• GHSA-v359-jj2v-j536: SSRF Bypass in vLLM
• Pull Request 34743: Fix SSRF Bypass
• Fix Commit 6f3b204
• Related Advisory GHSA-qh4c-xf7m-gxfc (Initial Fix)

---

Read the full report for CVE-2026-25960 on our website for more details including interactive diagrams and full exploit analysis.