High severity7.1GHSA Advisory· Published Oct 7, 2025· Updated Apr 15, 2026
CVE-2025-6242
CVE-2025-6242
Description
A Server-Side Request Forgery (SSRF) vulnerability exists in the MediaConnector class within the vLLM project's multimodal feature set. The load_from_url and load_from_url_async methods fetch and process media from user-provided URLs without adequate restrictions on the target hosts. This allows an attacker to coerce the vLLM server into making arbitrary requests to internal network resources.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
vllmPyPI | >= 0.5.0, < 0.11.0 | 0.11.0 |
Affected products
7- osv-coords6 versionspkg:apk/chainguard/py3.10-vllm-cuda-12.4pkg:apk/chainguard/py3.12-vllm-cuda-12.4pkg:apk/chainguard/py3-vllm-cuda-12.4pkg:apk/chainguard/tritonserver-backend-vllm-cuda-12.9pkg:apk/chainguard/tritonserver-backend-vllm-meta-cuda-12.9pkg:pypi/vllm
< 0.11.0-r2+ 5 more
- (no CPE)range: < 0.11.0-r2
- (no CPE)range: < 0.11.0-r2
- (no CPE)range: < 0.11.0-r2
- (no CPE)range: < 25.9.0_git20251016-r0
- (no CPE)range: < 25.9.0_git20251016-r0
- (no CPE)range: >= 0.5.0, < 0.11.0
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-3f6c-7fw2-ppm4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-6242ghsaADVISORY
- access.redhat.com/security/cve/CVE-2025-6242nvdWEB
- bugzilla.redhat.com/show_bug.cginvdWEB
- github.com/vllm-project/vllm/commit/9d9a2b77f19f68262d5e469c4e82c0f6365ad72dghsaWEB
- github.com/vllm-project/vllm/security/advisories/GHSA-3f6c-7fw2-ppm4ghsaWEB
News mentions
0No linked articles in our index yet.