{"api_version":"1","generated_at":"2026-07-09T09:30:45+00:00","cve":"CVE-2026-25960","urls":{"html":"https://cve.report/CVE-2026-25960","api":"https://cve.report/api/cve/CVE-2026-25960.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-25960","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-25960"},"summary":{"title":"SSRF Protection Bypass in vLLM","description":"vLLM is an inference and serving engine for large language models (LLMs). The SSRF protection fix for CVE-2026-24779 add in 0.15.1 can be bypassed in the load_from_url_async method due to inconsistent URL parsing behavior between the validation layer and the actual HTTP client. The SSRF fix uses urllib3.util.parse_url() to validate and extract the hostname from user-provided URLs. However, load_from_url_async uses aiohttp for making the actual HTTP requests, and aiohttp internally uses the yarl library for URL parsing. This vulnerability in 0.17.0.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-03-09 21:16:15","updated_at":"2026-06-30 03:17:46"},"problem_types":["CWE-918","CWE-474","CWE-918 CWE-918: Server-Side Request Forgery (SSRF)","CWE-474 Use of Function with Inconsistent Implementations"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"9.8","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"ADP","type":"CVSS","score":"7.1","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":7.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L","version":"3.1"}},{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"7.1","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"LOW"}},{"version":"3.1","source":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","type":"Secondary","score":"7.1","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"LOW"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"7.1","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":7.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L","version":"3.1"}}],"references":[{"url":"https://access.redhat.com/errata/RHSA-2026:24977","name":"https://access.redhat.com/errata/RHSA-2026:24977","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-25960.json","name":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-25960.json","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/vllm-project/vllm/pull/34743","name":"https://github.com/vllm-project/vllm/pull/34743","refsource":"security-advisories@github.com","tags":["Issue Tracking","Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/vllm-project/vllm/security/advisories/GHSA-v359-jj2v-j536","name":"https://github.com/vllm-project/vllm/security/advisories/GHSA-v359-jj2v-j536","refsource":"security-advisories@github.com","tags":["Exploit","Patch","Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/security/cve/CVE-2026-25960","name":"https://access.redhat.com/security/cve/CVE-2026-25960","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/vllm-project/vllm/security/advisories/GHSA-qh4c-xf7m-gxfc","name":"https://github.com/vllm-project/vllm/security/advisories/GHSA-qh4c-xf7m-gxfc","refsource":"security-advisories@github.com","tags":["Not Applicable"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/vllm-project/vllm/commit/6f3b2047abd4a748e3db4a68543f8221358002c0","name":"https://github.com/vllm-project/vllm/commit/6f3b2047abd4a748e3db4a68543f8221358002c0","refsource":"security-advisories@github.com","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2445892","name":"https://bugzilla.redhat.com/show_bug.cgi?id=2445892","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-25960","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25960","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"vllm-project","product":"vllm","version":"affected >= 0.15.1, < 0.17.0","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat OpenShift AI 2.25","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat AI Inference Server","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Enterprise Linux AI (RHEL AI) 3","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat OpenShift AI (RHOAI)","version":"","platforms":[]}],"timeline":[{"source":"ADP","time":"2026-03-09T22:02:05.461Z","lang":"en","value":"Reported to Red Hat."},{"source":"ADP","time":"2026-03-09T21:01:01.827Z","lang":"en","value":"Made public."}],"solutions":[{"source":"ADP","title":"","value":"RHSA-2026:24977: Red Hat OpenShift AI 2.25","time":"","lang":"en"}],"workarounds":[{"source":"ADP","title":"","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.","time":"","lang":"en"}],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"25960","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"vllm","cpe5":"vllm","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"25960","cve":"CVE-2026-25960","epss":"0.004850000","percentile":"0.382610000","score_date":"2026-07-02","updated_at":"2026-07-03 00:06:15"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-25960","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-03-10T15:01:11.202728Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-03-10T15:01:18.476Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"},{"affected":[{"cpes":["cpe:/a:redhat:openshift_ai:2.25::el9"],"defaultStatus":"affected","product":"Red Hat OpenShift AI 2.25","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ai_inference_server:3"],"defaultStatus":"affected","product":"Red Hat AI Inference Server","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:enterprise_linux_ai:3"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AI (RHEL AI) 3","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_ai"],"defaultStatus":"affected","product":"Red Hat OpenShift AI (RHOAI)","vendor":"Red Hat"}],"datePublic":"2026-03-09T21:01:01.827Z","descriptions":[{"lang":"en","value":"A flaw was found in vLLM, an inference and serving engine for large language models (LLMs). A remote attacker can exploit this Server-Side Request Forgery (SSRF) bypass vulnerability in the `load_from_url_async` method. The flaw occurs because the URL validation and the actual HTTP request handling use different parsing libraries, leading to inconsistencies. This allows an attacker to bypass existing SSRF protections, potentially leading to the disclosure of sensitive information from internal network resources."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":7.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-474","description":"Use of Function with Inconsistent Implementations","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-30T02:45:35.885Z","orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP"},"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-25960"},{"name":"RHBZ#2445892","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2445892"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-25960.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:24977"}],"solutions":[{"lang":"en","value":"RHSA-2026:24977: Red Hat OpenShift AI 2.25"}],"timeline":[{"lang":"en","time":"2026-03-09T22:02:05.461Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-03-09T21:01:01.827Z","value":"Made public."}],"title":"vLLM: vLLM: Server-Side Request Forgery bypass via inconsistent URL parsing","workarounds":[{"lang":"en","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"}}],"cna":{"affected":[{"product":"vllm","vendor":"vllm-project","versions":[{"status":"affected","version":">= 0.15.1, < 0.17.0"}]}],"descriptions":[{"lang":"en","value":"vLLM is an inference and serving engine for large language models (LLMs). The SSRF protection fix for CVE-2026-24779 add in 0.15.1 can be bypassed in the load_from_url_async method due to inconsistent URL parsing behavior between the validation layer and the actual HTTP client. The SSRF fix uses urllib3.util.parse_url() to validate and extract the hostname from user-provided URLs. However, load_from_url_async uses aiohttp for making the actual HTTP requests, and aiohttp internally uses the yarl library for URL parsing. This vulnerability in 0.17.0."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":7.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-918","description":"CWE-918: Server-Side Request Forgery (SSRF)","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-03-09T21:01:01.827Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/vllm-project/vllm/security/advisories/GHSA-v359-jj2v-j536","tags":["x_refsource_CONFIRM"],"url":"https://github.com/vllm-project/vllm/security/advisories/GHSA-v359-jj2v-j536"},{"name":"https://github.com/vllm-project/vllm/security/advisories/GHSA-qh4c-xf7m-gxfc","tags":["x_refsource_MISC"],"url":"https://github.com/vllm-project/vllm/security/advisories/GHSA-qh4c-xf7m-gxfc"},{"name":"https://github.com/vllm-project/vllm/pull/34743","tags":["x_refsource_MISC"],"url":"https://github.com/vllm-project/vllm/pull/34743"},{"name":"https://github.com/vllm-project/vllm/commit/6f3b2047abd4a748e3db4a68543f8221358002c0","tags":["x_refsource_MISC"],"url":"https://github.com/vllm-project/vllm/commit/6f3b2047abd4a748e3db4a68543f8221358002c0"}],"source":{"advisory":"GHSA-v359-jj2v-j536","discovery":"UNKNOWN"},"title":"SSRF Protection Bypass in vLLM"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-25960","datePublished":"2026-03-09T21:01:01.827Z","dateReserved":"2026-02-09T17:13:54.066Z","dateUpdated":"2026-06-30T02:45:35.885Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-03-09 21:16:15","lastModifiedDate":"2026-06-30 03:17:46","problem_types":["CWE-918","CWE-474","CWE-918 CWE-918: Server-Side Request Forgery (SSRF)","CWE-474 Use of Function with Inconsistent Implementations"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":4.2},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9},{"source":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":4.2}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-03-10T15:01:11.202728Z","id":"CVE-2026-25960","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:vllm:vllm:*:*:*:*:*:*:*:*","versionStartIncluding":"0.15.1","versionEndExcluding":"0.17.0","matchCriteriaId":"5A72A44F-F5E3-44C0-AB4B-A0B5B6797EFA"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"25960","Ordinal":"1","Title":"SSRF Protection Bypass in vLLM","CVE":"CVE-2026-25960","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"25960","Ordinal":"1","NoteData":"vLLM is an inference and serving engine for large language models (LLMs). The SSRF protection fix for CVE-2026-24779 add in 0.15.1 can be bypassed in the load_from_url_async method due to inconsistent URL parsing behavior between the validation layer and the actual HTTP client. The SSRF fix uses urllib3.util.parse_url() to validate and extract the hostname from user-provided URLs. However, load_from_url_async uses aiohttp for making the actual HTTP requests, and aiohttp internally uses the yarl library for URL parsing. This vulnerability in 0.17.0.","Type":"Description","Title":"SSRF Protection Bypass in vLLM"}]}}}