CVE-2026-25960
Published: 09 March 2026
Summary
CVE-2026-25960 is a high-severity SSRF (CWE-918) vulnerability in Vllm Vllm. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.
Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.
Validates server-side URLs and resource references to block SSRF attempts.
Detects server-side request forgery through monitoring of unexpected outbound connections.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF bypass in public-facing vLLM inference server directly enables exploitation of the application for initial/unauthorized access (T1190); the ability to issue requests to arbitrary internal destinations also facilitates network service discovery against protected hosts (T1046).
NVD Description
vLLM is an inference and serving engine for large language models (LLMs). The SSRF protection fix for CVE-2026-24779 add in 0.15.1 can be bypassed in the load_from_url_async method due to inconsistent URL parsing behavior between the validation layer and the…
more
actual HTTP client. The SSRF fix uses urllib3.util.parse_url() to validate and extract the hostname from user-provided URLs. However, load_from_url_async uses aiohttp for making the actual HTTP requests, and aiohttp internally uses the yarl library for URL parsing. This vulnerability in 0.17.0.
Deeper analysisAI
CVE-2026-25960 is a server-side request forgery (SSRF) protection bypass vulnerability in vLLM, an inference and serving engine for large language models (LLMs). The issue affects vLLM version 0.17.0 and stems from a fix for the prior CVE-2026-24779 that was introduced in version 0.15.1. Specifically, the SSRF protection in the load_from_url_async method validates user-provided URLs using urllib3.util.parse_url() to extract the hostname. However, the method performs actual HTTP requests via aiohttp, which uses the yarl library for URL parsing, leading to inconsistent behavior that allows bypasses. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L) and maps to CWE-918.
An attacker requires low privileges (PR:L) to exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). By supplying a malicious URL to the load_from_url_async method, the attacker can evade hostname validation, tricking the vLLM server into issuing requests to unauthorized destinations, such as internal network resources. Successful exploitation results in high confidentiality impact (C:H) with low availability impact (A:L) and no integrity impact (I:N), potentially exposing sensitive data.
Mitigation details are outlined in vLLM security advisories GHSA-qh4c-xf7m-gxfc and GHSA-v359-jj2v-j536, along with the fixing commit 6f3b2047abd4a748e3db4a68543f8221358002c0 and pull request #34743. Security practitioners should apply these updates to eliminate the parsing discrepancy and restore effective SSRF protection.
This vulnerability is notable in AI/ML contexts, as vLLM powers LLM inference and serving deployments that may handle remote model loading, increasing exposure in production environments.
Details
- CWE(s)