vLLM Server-Side Request Forgery Vulnerability in MediaConnector

A server-side request forgery (SSRF) vulnerability has been identified in the vLLM project, specifically within the MediaConnector class of the multimodal feature set. This vulnerability arises from a bypass of the SSRF protection fix implemented in version 0.15.1, due to inconsistent URL parsing between the validation layer and the HTTP client. The load_from_url_async method, which uses aiohttp for HTTP requests, can be exploited to bypass hostname restrictions and make arbitrary requests to internal network resources. This is particularly concerning in containerized environments, where such actions could disrupt services or expose sensitive data.

Impact

Exploitation of this vulnerability allows for full SSRF attacks, bypassing hostname allowlist checks to access internal or external services arbitrarily.

Reproduction

The vulnerability can be reproduced by providing a URL that includes a backslash before the '@' symbol. This URL will be parsed differently by the validation layer and the HTTP client, allowing the SSRF protection to be bypassed. After the bypass, the vLLM server can be coerced into making requests to internal network resources, potentially leading to a denial of service or exposure of sensitive data.

Remediation

Users can update to vLLM version 0.17.0, where this vulnerability has been patched.