CVE-2025-6242 | THREATINT

Description

A Server-Side Request Forgery (SSRF) vulnerability exists in the MediaConnector class within the vLLM project's multimodal feature set. The load_from_url and load_from_url_async methods fetch and process media from user-provided URLs without adequate restrictions on the target hosts. This allows an attacker to coerce the vLLM server into making arbitrary requests to internal network resources.

PUBLISHED Reserved 2025-06-18 | Published 2025-10-07 | Updated 2025-10-07 | Assigner redhat

HIGH: 7.1CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H

Problem types

Server-Side Request Forgery (SSRF)

Product status

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Timeline

2025-06-18:	Reported to Red Hat.
2025-10-07:	Made public.

References

access.redhat.com/security/cve/CVE-2025-6242 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2373716 (RHBZ#2373716) issue-tracking

cve.org (CVE-2025-6242)

nvd.nist.gov (CVE-2025-6242)

Download JSON