Listen to this Post
The Server-Side Request Forgery (SSRF) vulnerability in vLLM’s MediaConnector class stems from inconsistent URL parsing between validation and request execution. User-supplied URLs are processed by the `load_from_url` and `load_from_url_async` methods to fetch media. URL validation uses Python’s `urlparse` from urllib, which follows RFC 3986, while the actual HTTP request is made via `requests` library, which uses urllib3‘s `parse_url` adhering to the WHATWG Living Standard. These parsers interpret backslashes differently; `urlparse` may see a backslash as part of the hostname, while `parse_url` might treat it as a path separator or normalize it, allowing bypass of domain allowlists. For instance, a URL like http://allowed.com\\@internal.service` could be validated as `allowed.com` but request tointernal.service`. This discrepancy enables attackers to craft URLs that bypass host restrictions, forcing the vLLM server to send requests to internal network resources. In containerized deployments like llm-d, this can lead to internal network reconnaissance, unauthorized pod communication, Denial of Service via malicious API calls, or data exfiltration. The vulnerability is critical due to the potential for full internal network access.
Platform: vLLM
Version: Unspecified
Vulnerability: SSRF
Severity: Critical
date: Not disclosed
Prediction: Patch expected soon
What Undercode Say:
Analytics
Example curl command to test SSRF bypass using backslashes
curl -X POST http://vllm-server/load-media -d 'url=http://allowed.com\\@internal/metrics'
Code snippet from vulnerable MediaConnector method
def load_from_url(self, url: str, media_io, , fetch_timeout=None):
url_spec = urlparse(url) RFC 3986 parsing
if url_spec.scheme.startswith("http"):
self._assert_url_in_allowed_media_domains(url_spec)
connection = self.connection
data = connection.get_bytes(url, timeout=fetch_timeout) WHATWG parsing via requests
return media_io.load_bytes(data)
How Exploit:
Craft URLs with backslashes to bypass host allowlists, targeting internal endpoints.
Protection from this CVE
Use consistent URL parsing libraries, implement strict allowlist validation, and sanitize inputs.
Impact:
Internal network access, DoS, data leakage.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

