CVE-2025-6242: A Server-Side Request Forgery (SSRF) vulnerability exists in the MediaConnector class within the vLLM project's multimod
highvulnerabilityLLM-Specific
security
Summary
A Server-Side Request Forgery (SSRF) vulnerability, a weakness that lets attackers trick a server into making unwanted requests to internal resources, exists in the MediaConnector class of the vLLM project's multimodal feature set. The vulnerability occurs in the load_from_url and load_from_url_async methods, which fetch media from user-provided URLs without properly checking which hosts are allowed, potentially allowing attackers to access internal network resources through the vLLM server.
Vulnerability Details
CVSS Score
7.1(high)
EPSS (30-day exploit probability)
EPSS: 0.0%
Classification
Attack Type
RAG Poisoning
Attack SophisticationModerate
Impact (CIA+S)
confidentialityintegrity
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2025-6242
First tracked: February 15, 2026 at 08:44 PM
Classified by LLM (prompt v3) · confidence: 92%