A Server-Side Request Forgery (SSRF) vulnerability exists in the MediaConnector class within the vLLM project's multimodal feature set. The load_from_url and load_from_url_async methods fetch and process media from user-provided URLs without adequate restrictions on the target hosts. This allows an attacker to coerce the vLLM server into making arbitrary requests to internal network resources.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| vllm(PyPI) | 0.5.0 | 0.11.0 | N/A |
CVSS Metrics
