Vulnerability DatabaseCVE-2025-6242
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2025-6242
October 07, 2025
A Server-Side Request Forgery (SSRF) vulnerability exists in the MediaConnector class within the vLLM project's multimodal feature set. The load_from_url and load_from_url_async methods fetch and process media from user-provided URLs without adequate restrictions on the target hosts. This allows an attacker to coerce the vLLM server into making arbitrary requests to internal network resources.
Affected Packages
vllm (PYTHON):
Affected version(s) >=0.5.0 <0.11.0
Fix Suggestion:
Update to version 0.11.0
Related Resources (6)
https://github.com/vllm-project/vllm/security/advisories/GHSA-3f6c-7fw2-ppm4
https://github.com/vllm-project/vllm/commit/9d9a2b77f19f68262d5e469c4e82c0f6365ad72d
https://bugzilla.redhat.com/show_bug.cgi?id=2373716
https://access.redhat.com/security/cve/CVE-2025-6242
https://nvd.nist.gov/vuln/detail/CVE-2025-6242
https://github.com/vllm-project/vllm
Do you need more information?
Contact Us
CVSS v4
Base Score:
6.1
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
LOW
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
7.1
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
LOW
Availability
HIGH
Weakness Type (CWE)
Server-Side Request Forgery (SSRF)
CWE-918
URL Redirection to Untrusted Site ('Open Redirect')
CWE-601
EPSS
Base Score:
0.07