GHSA-v359-jj2v-j536: vLLM has SSRF Protection Bypass
mediumvulnerabilityLLM-Specific
security
Summary
vLLM has a bypass in its SSRF (server-side request forgery, where an attacker tricks a server into making requests to unintended targets) protection because the validation layer and the HTTP client parse URLs differently. The validation uses urllib3, which treats backslashes as literal characters, but the actual requests use aiohttp with yarl, which interprets backslashes as part of the userinfo section. An attacker can craft a URL like `https://httpbin.org\@evil.com/` that passes validation for httpbin.org but actually connects to evil.com.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Classification
Attack Type
Supply Chain
Attack SophisticationModerate
Impact (CIA+S)
confidentialityintegrity
Affected Vendors
Affected Packages
vllm@>= 0.15.1, < 0.17.0 (fixed: 0.17.0)
Related Issues
Original source: https://github.com/advisories/GHSA-v359-jj2v-j536
First tracked: March 9, 2026 at 04:00 PM
Classified by LLM (prompt v3) · confidence: 95%