Description

vLLM is an inference and serving engine for large language models (LLMs). The SSRF protection fix for CVE-2026-24779 add in 0.15.1 can be bypassed in the load_from_url_async method due to inconsistent URL parsing behavior between the validation layer and the actual HTTP client. The SSRF fix uses urllib3.util.parse_url() to validate and extract the hostname from user-provided URLs. However, load_from_url_async uses aiohttp for making the actual HTTP requests, and aiohttp internally uses the yarl library for URL parsing. This vulnerability in 0.17.0.

INFO

Published Date :

2026-03-09T21:01:01.827Z

Last Modified :

2026-03-10T15:01:18.476Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-25960 vulnerability.

Vendors Products
Vllm
  • Vllm
Vllm-project
  • Vllm
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-25960.

URL Resource
https://github.com/vllm-project/vllm/commit/6f3b2047abd4a748e3db4a68543f8221358002c0 cve-icon cve-icon cve-icon
https://github.com/vllm-project/vllm/pull/34743 cve-icon cve-icon cve-icon
https://github.com/vllm-project/vllm/security/advisories/GHSA-qh4c-xf7m-gxfc cve-icon cve-icon cve-icon
https://github.com/vllm-project/vllm/security/advisories/GHSA-v359-jj2v-j536 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-25960 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-25960 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact