VDB
KO
MEDIUM 5.4

GHSA-v359-jj2v-j536

vLLM has SSRF Protection Bypass

Details

## Summary

The SSRF protection fix for https://github.com/vllm-project/vllm/security/advisories/GHSA-qh4c-xf7m-gxfc can be bypassed in the `load_from_url_async` method due to inconsistent URL parsing behavior between the validation layer and the actual HTTP client.

## Affected Component

- **File**: `vllm/connections.py` - **Function**: `load_from_url_async`

## Vulnerability Details

### Root Cause

The SSRF [fix](https://github.com/vllm-project/vllm/pull/32746) uses `urllib3.util.parse_url()` to validate and extract the hostname from user-provided URLs. However, `load_from_url_async` uses `aiohttp` for making the actual HTTP requests, and `aiohttp` internally uses the `yarl` library for URL parsing.

These two URL parsers handle backslash characters (`\`) differently:

| Parser | Input URL | Parsed Host | Parsed Path | Behavior | |--------|-----------|-------------|-------------|----------| | `urllib3.parse_url()` | `https://httpbin.org\@evil.com/` | `httpbin.org` | `/%5C@evil.com/` | URL-encodes `\` as `%5C`, treats `\@evil.com/` as part of the path | | `yarl` (via aiohttp) | `https://httpbin.org\@evil.com/` | `evil.com` | `/` | Treats `\` as part of userinfo (`user: httpbin.org\`), the `@` acts as the userinfo/host separator |

### Attack Scenario

```python # Attacker provides this URL malicious_url = "https://httpbin.org\\@evil.com/"

# 1. Validation layer (urllib3.parse_url) parsed = urllib3.util.parse_url(malicious_url) # parsed.host == "httpbin.org" ✅ Passes validation

# 2. Actual request (aiohttp with yarl) async with aiohttp.ClientSession() as session: async with session.get(malicious_url) as response: # Request actually goes to evil.com! ❌ Bypass! ```

### Why This Happens

1. **yarl**: Interprets `httpbin.org\` as the userinfo component, and `@` as the userinfo/host separator, so the URL is parsed as `user=httpbin.org\`, `host=evil.com`, `path=/` 2. **urllib3**: URL-encodes the backslash as `%5C`, so `\@evil.com/` becomes `/%5C@evil.com/` which is treated as part of the path, leaving `host=httpbin.org`

This inconsistency allows an attacker to: - Bypass the hostname allowlist check - Access arbitrary internal/external services - Perform full SSRF attacks

## Fixes

- https://github.com/vllm-project/vllm/pull/34743

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / vllm
Introduced in: 0.15.1 Fixed in: 0.17.0
Fix pip install --upgrade 'vllm>=0.17.0'

References