Cyber Resilience

CVE-2026-25960

HighPublic PoCUpdated

Published: 09 March 2026

Published
09 March 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
EPSS Score 0.0044 35.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-25960 is a high-severity SSRF (CWE-918) vulnerability in Vllm Vllm. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as NLP and Transformers; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-25960 is a server-side request forgery (SSRF) protection bypass vulnerability in vLLM, an inference and serving engine for large language models (LLMs). The issue affects vLLM version 0.17.0 and stems from a fix for the prior CVE-2026-24779 that was introduced in version 0.15.1. Specifically, the SSRF protection in the load_from_url_async method validates user-provided URLs using urllib3.util.parse_url() to extract the hostname. However, the method performs actual HTTP requests via aiohttp, which uses the yarl library for URL parsing, leading to inconsistent behavior that allows bypasses. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L) and maps to CWE-918.

An attacker requires low privileges (PR:L) to exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). By supplying a malicious URL to the load_from_url_async method, the attacker can evade hostname validation, tricking the vLLM server into issuing requests to unauthorized destinations, such as internal network resources. Successful exploitation results in high confidentiality impact (C:H) with low availability impact (A:L) and no integrity impact (I:N), potentially exposing sensitive data.

Mitigation details are outlined in vLLM security advisories GHSA-qh4c-xf7m-gxfc and GHSA-v359-jj2v-j536, along with the fixing commit 6f3b2047abd4a748e3db4a68543f8221358002c0 and pull request #34743. Security practitioners should apply these updates to eliminate the parsing discrepancy and restore effective SSRF protection.

This vulnerability is notable in AI/ML contexts, as vLLM powers LLM inference and serving deployments that may handle remote model loading, increasing exposure in production environments.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

vLLM is an inference and serving engine for large language models (LLMs). The SSRF protection fix for CVE-2026-24779 add in 0.15.1 can be bypassed in the load_from_url_async method due to inconsistent URL parsing behavior between the validation layer and the…

more

actual HTTP client. The SSRF fix uses urllib3.util.parse_url() to validate and extract the hostname from user-provided URLs. However, load_from_url_async uses aiohttp for making the actual HTTP requests, and aiohttp internally uses the yarl library for URL parsing. This vulnerability in 0.17.0.

CWE(s)

AI Security AnalysisAI

AI Category
NLP and Transformers
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: llms, vllm

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
Why these techniques?

SSRF bypass in public-facing vLLM inference server directly enables exploitation of the application for initial/unauthorized access (T1190); the ability to issue requests to arbitrary internal destinations also facilitates network service discovery against protected hosts (T1046).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24779Same product: Vllm Vllm
CVE-2026-22778Same product: Vllm Vllm
CVE-2026-22773Same product: Vllm Vllm
CVE-2025-62164Same product: Vllm Vllm
CVE-2026-22807Same product: Vllm Vllm
CVE-2026-27893Same product: Vllm Vllm
CVE-2025-24357Same product: Vllm Vllm
CVE-2024-11041Same product: Vllm Vllm
CVE-2025-66448Same product: Vllm Vllm
CVE-2025-29783Same product: Vllm Vllm

Affected Assets

vllm
vllm
0.15.1 — 0.17.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces boundary protection to block unauthorized server-initiated requests to internal resources, directly stopping the SSRF bypass in load_from_url_async.

prevent

Requires validation of URL inputs to ensure consistent hostname extraction, eliminating the urllib3 vs. yarl parsing discrepancy that bypasses the CVE-2026-24779 fix.

prevent

Enforces information flow policies on user-supplied URLs to prevent unauthorized flows to internal destinations via the aiohttp client.

References