CVE-2026-25960
Published: 09 March 2026
Summary
CVE-2026-25960 is a high-severity SSRF (CWE-918) vulnerability in Vllm Vllm. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as NLP and Transformers; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-25960 is a server-side request forgery (SSRF) protection bypass vulnerability in vLLM, an inference and serving engine for large language models (LLMs). The issue affects vLLM version 0.17.0 and stems from a fix for the prior CVE-2026-24779 that was introduced in version 0.15.1. Specifically, the SSRF protection in the load_from_url_async method validates user-provided URLs using urllib3.util.parse_url() to extract the hostname. However, the method performs actual HTTP requests via aiohttp, which uses the yarl library for URL parsing, leading to inconsistent behavior that allows bypasses. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L) and maps to CWE-918.
An attacker requires low privileges (PR:L) to exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). By supplying a malicious URL to the load_from_url_async method, the attacker can evade hostname validation, tricking the vLLM server into issuing requests to unauthorized destinations, such as internal network resources. Successful exploitation results in high confidentiality impact (C:H) with low availability impact (A:L) and no integrity impact (I:N), potentially exposing sensitive data.
Mitigation details are outlined in vLLM security advisories GHSA-qh4c-xf7m-gxfc and GHSA-v359-jj2v-j536, along with the fixing commit 6f3b2047abd4a748e3db4a68543f8221358002c0 and pull request #34743. Security practitioners should apply these updates to eliminate the parsing discrepancy and restore effective SSRF protection.
This vulnerability is notable in AI/ML contexts, as vLLM powers LLM inference and serving deployments that may handle remote model loading, increasing exposure in production environments.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10356
Vulnerability details
vLLM is an inference and serving engine for large language models (LLMs). The SSRF protection fix for CVE-2026-24779 add in 0.15.1 can be bypassed in the load_from_url_async method due to inconsistent URL parsing behavior between the validation layer and the…
more
actual HTTP client. The SSRF fix uses urllib3.util.parse_url() to validate and extract the hostname from user-provided URLs. However, load_from_url_async uses aiohttp for making the actual HTTP requests, and aiohttp internally uses the yarl library for URL parsing. This vulnerability in 0.17.0.
- CWE(s)
AI Security AnalysisAI
- AI Category
- NLP and Transformers
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: llms, vllm
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF bypass in public-facing vLLM inference server directly enables exploitation of the application for initial/unauthorized access (T1190); the ability to issue requests to arbitrary internal destinations also facilitates network service discovery against protected hosts (T1046).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces boundary protection to block unauthorized server-initiated requests to internal resources, directly stopping the SSRF bypass in load_from_url_async.
Requires validation of URL inputs to ensure consistent hostname extraction, eliminating the urllib3 vs. yarl parsing discrepancy that bypasses the CVE-2026-24779 fix.
Enforces information flow policies on user-supplied URLs to prevent unauthorized flows to internal destinations via the aiohttp client.