GHSA-pf3h-qjgv-vcpr: vLLM: Server-Side Request Forgery (SSRF) in `download_bytes_from_url `
mediumvulnerability
security
Summary
vLLM (a language model serving framework) has a Server-Side Request Forgery vulnerability (SSRF, where an attacker tricks a server into making requests to unintended targets) in its batch processing feature. An attacker who can submit batch input JSON can make the vLLM server send arbitrary HTTP requests to any URL, including internal services like cloud metadata endpoints, because the `download_bytes_from_url` function has no restrictions on which domains or IP addresses it will contact.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Patch Available
Yes
Disclosure Date
April 3, 2026
Classification
Attack Type
Supply Chain
Attack SophisticationTrivial
Impact (CIA+S)
confidentialityintegrity
Taxonomy References
MITRE ATLAS (AI/ML Threat Technique)
Affected Vendors
Affected Packages
vllm@>= 0.16.0, < 0.19.0 (fixed: 0.19.0)
Related Issues
Monthly digest — independent AI security research
Original source: https://github.com/advisories/GHSA-pf3h-qjgv-vcpr
First tracked: April 3, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 95%