CVE-2025-6242 HIGH

CVE-2025-6242: Vllm: server side request forgery (ssrf) in mediaconnector

Vendor Red Hat
Product Red Hat AI Inference Server
Weakness CWE-918 · SSRF
Published October 7, 2025
Last update October 17, 2025
View on NVD All CVEs

CVSS base score

7.1/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H

What the vulnerability does

01Description

A Server-Side Request Forgery (SSRF) vulnerability exists in the MediaConnector class within the vLLM project's multimodal feature set. The load_from_url and load_from_url_async methods fetch and process media from user-provided URLs without adequate restrictions on the target hosts. This allows an attacker to coerce the vLLM server into making arbitrary requests to internal network resources.

Key dates

02Disclosure timeline

October 7, 2025 CVE published
October 17, 2025 Record updated