vLLM Server-Side Request Forgery Vulnerability in Batch Processing

A server-side request forgery (SSRF) vulnerability has been identified in vLLM versions 0.16.0 prior to 0.19.0. The issue resides in the 'download_bytes_from_url' function, where input JSON can be manipulated to make the vLLM batch runner send arbitrary HTTP or HTTPS requests from the server. This vulnerability lacks URL validation or domain restrictions, allowing potential targeting of internal services, such as cloud metadata endpoints or private HTTP APIs, accessible from the vLLM host.

Impact

Exploitation of this vulnerability could lead to unauthorized access to internal services or APIs from the vLLM host, potentially allowing for further attacks or data exposure.

Reproduction

To reproduce this vulnerability, create a batch request file that includes JSON lines with manipulated 'file_url' fields. The vLLM batch runner will parse these lines and pass the URLs directly to the 'download_bytes_from_url' function, which will then issue HTTP requests to the specified URLs without any validation. This can be done by targeting internal services or cloud metadata endpoints that are reachable from the vLLM host.

Remediation

Users can upgrade to vLLM version 0.19.0, where this vulnerability has been fixed.