CVE-2026-25960 is a Server-Side Request Forgery (SSRF) vulnerability identified in the vllm-project's vllm inference and serving engine for large language models. The vulnerability specifically affects versions from 0.15.1 up to but not including 0.17.0. The root cause is a mismatch in URL parsing logic between the SSRF protection validation layer and the actual HTTP client used for requests. The SSRF fix introduced in version 0.15.1 uses urllib3.util.parse_url() to validate and extract hostnames from user-supplied URLs to prevent SSRF attacks. However, the load_from_url_async method, which performs asynchronous HTTP requests, uses aiohttp, which internally relies on the yarl library for URL parsing. Because urllib3 and yarl parse URLs differently, an attacker can craft malicious URLs that pass validation but cause aiohttp to request unintended internal or protected resources. This inconsistency effectively bypasses the SSRF protections, enabling attackers to make unauthorized HTTP requests from the server to internal systems or external endpoints. The vulnerability requires low privileges (PR:L) but no user interaction (UI:N), and the attack surface is network accessible (AV:N). The impact is primarily on confidentiality (C:H), as attackers can access sensitive internal services or data, with limited impact on availability (A:L) and no integrity impact (I:N). No public exploits have been reported yet, but the vulnerability is rated high severity with a CVSS score of 7.1. This vulnerability highlights the importance of consistent URL parsing and validation across all components handling user input in security-sensitive contexts.

The SSRF vulnerability in vllm can have significant impacts on organizations deploying this software for large language model inference. Successful exploitation allows attackers to make arbitrary HTTP requests from the vulnerable server to internal or external systems, potentially accessing sensitive internal services, metadata endpoints, or private data not otherwise exposed. This can lead to data leakage, unauthorized information disclosure, and reconnaissance for further attacks. Since vllm is used in AI model serving, attackers might also leverage SSRF to access internal APIs or cloud metadata services, increasing the risk of credential theft or lateral movement. The vulnerability requires only low privileges and no user interaction, increasing the risk of automated exploitation if attackers gain limited access. Although no exploits are currently known in the wild, the high CVSS score and the critical nature of SSRF attacks mean organizations should treat this as a serious risk. The impact is especially pronounced in cloud environments or complex internal networks where SSRF can be a gateway to sensitive infrastructure components.

To mitigate CVE-2026-25960, organizations should upgrade vllm to version 0.17.0 or later, where the SSRF bypass issue is resolved. If immediate upgrading is not feasible, organizations should implement strict network segmentation and egress filtering to limit the vulnerable server's ability to reach internal or sensitive endpoints. Additionally, applying application-layer firewall rules to restrict outbound HTTP requests from the vllm service can reduce exploitation risk. Developers should ensure consistent URL parsing libraries are used both for validation and actual HTTP requests to prevent discrepancies. Monitoring and logging HTTP requests made by vllm can help detect suspicious SSRF attempts. Finally, applying the principle of least privilege to the vllm service account and isolating it in a hardened environment reduces the potential damage of SSRF exploitation.