CVE-2025-6242: 
Chainguard vulnerability analysis and mitigation

A Server-Side Request Forgery (SSRF) vulnerability (CVE-2025-6242) was discovered in the MediaConnector class within the vLLM project's multimodal feature set. The vulnerability affects versions >= 0.5.0 and < 0.11.0, with the first patched version being 0.11.0. The issue lies in the loadfromurl and loadfromurl_async methods that fetch and process media from user-provided URLs without adequate restrictions on the target hosts (Miggo, NVD).

The vulnerability is tracked as CWE-918 (Server-Side Request Forgery) with a CVSS v3.1 base score of 7.1 (HIGH), vector string: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H. The core issue exists in the MediaConnector.loadfromurl method and its asynchronous counterpart, which accept URL strings to fetch media content (images, audio, video) with http, https, and file schemes. While there is an attempt to restrict file access through --allowed-local-media-path, this measure does not prevent network-based SSRF attacks (Miggo).

The vulnerability allows an attacker to coerce the vLLM server into making arbitrary requests to internal network resources. In containerized environments like llm-d, a compromised vLLM pod could be used to scan the internal network, interact with other pods, and potentially cause denial of service or access sensitive data. An attacker could make the vLLM pod send malicious requests to internal management endpoints, leading to system instability by falsely reporting metrics like the KV cache state (Miggo).

The recommended mitigation is to implement a configurable allowlist or denylist for domains and IP addresses. The most secure approach is to allow connections only to a predefined list of trusted domains via a command-line argument like --allowed-media-domains. Alternatively, a denylist could block access to private IP address ranges (127.0.0.1, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and other sensitive domains. Users should upgrade to version 0.11.0 or later which contains the fix (Miggo).