VYPR
High severity7.1GHSA Advisory· Published Oct 7, 2025· Updated Apr 15, 2026

CVE-2025-6242

CVE-2025-6242

Description

A Server-Side Request Forgery (SSRF) vulnerability exists in the MediaConnector class within the vLLM project's multimodal feature set. The load_from_url and load_from_url_async methods fetch and process media from user-provided URLs without adequate restrictions on the target hosts. This allows an attacker to coerce the vLLM server into making arbitrary requests to internal network resources.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
vllmPyPI
>= 0.5.0, < 0.11.00.11.0

Affected products

7

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.