vLLM Server-Side Request Forgery Vulnerability in MediaConnector Class

A Server-Side Request Forgery (SSRF) vulnerability has been identified in the vLLM project, specifically in versions prior to 0.14.1. The issue resides within the MediaConnector class, which is part of vLLM's multimodal feature set. The vulnerability arises in the load_from_url and load_from_url_async methods, which process media from user-provided URLs. These methods use different Python libraries for URL parsing, leading to inconsistent interpretations of backslashes. This discrepancy allows attackers to bypass host name restrictions, potentially coercing the vLLM server into making arbitrary requests to internal network resources. The vulnerability is especially critical in containerized environments like llm-d, where a compromised vLLM pod could scan the internal network, interact with other pods, and access sensitive data or cause a denial-of-service.

Impact

Exploitation of this vulnerability could allow an attacker to make arbitrary requests to internal network resources, potentially accessing sensitive data, disrupting services, or causing instability in systems that rely on vLLM.

Reproduction

The vulnerability can be reproduced by using a vLLM version prior to 0.14.1 and sending a request through the MediaConnector class's load_from_url or load_from_url_async methods. The request should include a URL that exploits the backslash interpretation difference between urllib and urllib3, bypassing host restrictions and targeting an internal resource.

Remediation

Users can upgrade to vLLM version 0.14.1 or later, where this vulnerability has been patched.