2025-10-07 19:45:18
redhat
PUBLISHED
A Server-Side Request Forgery (SSRF) vulnerability exists in the MediaConnector class within the vLLM projects multimodal feature set. The load_from_url and load_from_url_async methods fetch and process media from user-provided URLs without adequate restrictions on the target hosts. This allows an attacker to coerce the vLLM server into making arbitrary requests to internal network resources.