{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25960", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-09T17:13:54.066Z", "datePublished": "2026-03-09T21:01:01.827Z", "dateUpdated": "2026-03-10T15:01:18.476Z"}, "containers": {"cna": {"title": "SSRF Protection Bypass in vLLM", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-v359-jj2v-j536", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-v359-jj2v-j536"}, {"name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-qh4c-xf7m-gxfc", "tags": ["x_refsource_MISC"], "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-qh4c-xf7m-gxfc"}, {"name": "https://github.com/vllm-project/vllm/pull/34743", "tags": ["x_refsource_MISC"], "url": "https://github.com/vllm-project/vllm/pull/34743"}, {"name": "https://github.com/vllm-project/vllm/commit/6f3b2047abd4a748e3db4a68543f8221358002c0", "tags": ["x_refsource_MISC"], "url": "https://github.com/vllm-project/vllm/commit/6f3b2047abd4a748e3db4a68543f8221358002c0"}], "affected": [{"vendor": "vllm-project", "product": "vllm", "versions": [{"version": ">= 0.15.1, < 0.17.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-09T21:01:01.827Z"}, "descriptions": [{"lang": "en", "value": "vLLM is an inference and serving engine for large language models (LLMs). The SSRF protection fix for CVE-2026-24779 add in 0.15.1 can be bypassed in the load_from_url_async method due to inconsistent URL parsing behavior between the validation layer and the actual HTTP client. The SSRF fix uses urllib3.util.parse_url() to validate and extract the hostname from user-provided URLs. However, load_from_url_async uses aiohttp for making the actual HTTP requests, and aiohttp internally uses the yarl library for URL parsing. This vulnerability in 0.17.0."}], "source": {"advisory": "GHSA-v359-jj2v-j536", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T15:01:11.202728Z", "id": "CVE-2026-25960", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T15:01:18.476Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25960", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T15:01:11.202728Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T15:01:15.560Z"}}], "cna": {"title": "SSRF Protection Bypass in vLLM", "source": {"advisory": "GHSA-v359-jj2v-j536", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "vllm-project", "product": "vllm", "versions": [{"status": "affected", "version": ">= 0.15.1, < 0.17.0"}]}], "references": [{"url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-v359-jj2v-j536", "name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-v359-jj2v-j536", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-qh4c-xf7m-gxfc", "name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-qh4c-xf7m-gxfc", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/vllm-project/vllm/pull/34743", "name": "https://github.com/vllm-project/vllm/pull/34743", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/vllm-project/vllm/commit/6f3b2047abd4a748e3db4a68543f8221358002c0", "name": "https://github.com/vllm-project/vllm/commit/6f3b2047abd4a748e3db4a68543f8221358002c0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "vLLM is an inference and serving engine for large language models (LLMs). The SSRF protection fix for CVE-2026-24779 add in 0.15.1 can be bypassed in the load_from_url_async method due to inconsistent URL parsing behavior between the validation layer and the actual HTTP client. The SSRF fix uses urllib3.util.parse_url() to validate and extract the hostname from user-provided URLs. However, load_from_url_async uses aiohttp for making the actual HTTP requests, and aiohttp internally uses the yarl library for URL parsing. This vulnerability in 0.17.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-09T21:01:01.827Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25960", "state": "PUBLISHED", "dateUpdated": "2026-03-10T15:01:18.476Z", "dateReserved": "2026-02-09T17:13:54.066Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-09T21:01:01.827Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "vLLM is an inference and serving engine for large language models (LLMs). The SSRF protection fix for CVE-2026-24779 add in 0.15.1 can be bypassed in the load_from_url_async method due to inconsistent URL parsing behavior between the validation layer and the actual HTTP client. The SSRF fix uses urllib3.util.parse_url() to validate and extract the hostname from user-provided URLs. However, load_from_url_async uses aiohttp for making the actual HTTP requests, and aiohttp internally uses the yarl library for URL parsing. This vulnerability in 0.17.0."}, {"lang": "es", "value": "vLLM es un motor de inferencia y servicio para modelos de lenguaje grandes (LLMs). La correcci\u00f3n de protecci\u00f3n contra SSRF para CVE-2026-24779 a\u00f1adida en 0.15.1 puede ser eludida en el m\u00e9todo load_from_url_async debido a un comportamiento inconsistente de an\u00e1lisis de URL entre la capa de validaci\u00f3n y el cliente HTTP real. La correcci\u00f3n de SSRF utiliza urllib3.util.parse_url() para validar y extraer el nombre de host de las URL proporcionadas por el usuario. Sin embargo, load_from_url_async utiliza aiohttp para realizar las solicitudes HTTP reales, y aiohttp utiliza internamente la biblioteca yarl para el an\u00e1lisis de URL. Esta vulnerabilidad en 0.17.0."}], "id": "CVE-2026-25960", "lastModified": "2026-03-11T13:53:47.157", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-09T21:16:15.537", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/vllm-project/vllm/commit/6f3b2047abd4a748e3db4a68543f8221358002c0"}, {"source": "security-advisories@github.com", "url": "https://github.com/vllm-project/vllm/pull/34743"}, {"source": "security-advisories@github.com", "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-qh4c-xf7m-gxfc"}, {"source": "security-advisories@github.com", "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-v359-jj2v-j536"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "vLLM: vLLM: Server-Side Request Forgery bypass via inconsistent URL parsing", "id": "2445892", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445892"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L", "status": "draft"}, "cwe": "CWE-474", "details": ["A flaw was found in vLLM, an inference and serving engine for large language models (LLMs). A remote attacker can exploit this Server-Side Request Forgery (SSRF) bypass vulnerability in the `load_from_url_async` method. The flaw occurs because the URL validation and the actual HTTP request handling use different parsing libraries, leading to inconsistencies. This allows an attacker to bypass existing SSRF protections, potentially leading to the disclosure of sensitive information from internal network resources."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-25960", "package_state": [{"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Affected", "package_name": "rhaiis-preview/vllm-cuda-rhel9", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Affected", "package_name": "rhaiis/vllm-cuda-rhel9", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Affected", "package_name": "rhaiis/vllm-rocm-rhel9", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Affected", "package_name": "rhaiis/vllm-spyre-rhel9", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Affected", "package_name": "rhaiis/vllm-tpu-rhel9", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/bootc-aws-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/bootc-azure-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/bootc-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/bootc-gcp-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Out of support scope", "package_name": "rhoai/odh-kserve-agent-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-kserve-controller-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Out of support scope", "package_name": "rhoai/odh-kserve-router-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Out of support scope", "package_name": "rhoai/odh-kserve-storage-initializer-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Out of support scope", "package_name": "rhoai/odh-vllm-cpu-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-vllm-cuda-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Out of support scope", "package_name": "rhoai/odh-vllm-gaudi-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-vllm-rocm-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}], "public_date": "2026-03-09T21:01:01Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-25960\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-25960\nhttps://github.com/vllm-project/vllm/commit/6f3b2047abd4a748e3db4a68543f8221358002c0\nhttps://github.com/vllm-project/vllm/pull/34743\nhttps://github.com/vllm-project/vllm/security/advisories/GHSA-qh4c-xf7m-gxfc\nhttps://github.com/vllm-project/vllm/security/advisories/GHSA-v359-jj2v-j536"], "statement": "This is an IMPORTANT vulnerability. The vLLM component, as used in Red Hat AI Inference Server and Red Hat OpenShift AI, is affected by a Server-Side Request Forgery (SSRF) protection bypass. This flaw allows an attacker to circumvent existing SSRF safeguards due to inconsistent URL parsing between the validation layer and the underlying HTTP client when the `load_from_url_async` method is utilized.", "threat_severity": "Important"}