- "details": "### Summary\n\nA Server-Side Request Forgery (SSRF) vulnerability exists in the `MediaConnector` class within the vLLM project's multimodal feature set. The `load_from_url` and `load_from_url_async` methods fetch and process media from user-provided URLs without adequate restrictions on the target hosts. This allows an attacker to coerce the vLLM server into making arbitrary requests to internal network resources.\n\nThis vulnerability is particularly critical in containerized environments like `llm-d`, where a compromised vLLM pod could be used to scan the internal network, interact with other pods, and potentially cause denial of service or access sensitive data. For example, an attacker could make the vLLM pod send malicious requests to an internal `llm-d` management endpoint, leading to system instability by falsely reporting metrics like the KV cache state.\n\n### Vulnerability Details\n\nThe core of the vulnerability lies in the `MediaConnector.load_from_url` method and its asynchronous counterpart. These methods accept a URL string to fetch media content (images, audio, video).\n\nhttps://github.com/vllm-project/vllm/blob/119f683949dfed10df769fe63b2676d7f1eb644e/vllm/multimodal/utils.py#L97-L113\n\nThe function directly processes URLs with `http`, `https`, and `file` schemes. An attacker can supply a URL pointing to an internal IP address or a `localhost` endpoint. The vLLM server will then initiate a connection to this internal resource.\n\n* **HTTP/HTTPS Scheme:** An attacker can craft a request like `{\"image_url\": \"http://127.0.0.1:8080/internal_api\"}`. The vLLM server will send a GET request to this internal endpoint.\n* **File Scheme:** The `_load_file_url` method attempts to restrict file access to a subdirectory defined by `--allowed-local-media-path`. While this is a good security measure for local file access, it does not prevent network-based SSRF attacks.\n\n### Impact in `llm-d` Environments\n\nThe risk is significantly amplified in orchestrated environments such as `llm-d`, where multiple pods communicate over an internal network.\n\n1. **Denial of Service (DoS):** An attacker could target internal management endpoints of other services within the `llm-d` cluster. For instance, if a monitoring or metrics service is exposed internally, an attacker could send malformed requests to it. A specific example is an attacker causing the vLLM pod to call an internal API that reports a false KV cache utilization, potentially triggering incorrect scaling decisions or even a system shutdown.\n\n2. **Internal Network Reconnaissance:** Attackers can use the vulnerability to scan the internal network for open ports and services by providing URLs like `http://10.0.0.X:PORT` and observing the server's response time or error messages.\n\n3. **Interaction with Internal Services:** Any unsecured internal service becomes a potential target. This could include databases, internal APIs, or other model pods that might not have robust authentication, as they are not expected to be directly exposed.\n\nDelegating this security responsibility to an upper-level orchestrator like `llm-d` is problematic. **The orchestrator cannot easily distinguish between legitimate requests initiated by the vLLM engine for its own purposes and malicious requests originating from user input, thus complicating traffic filtering rules and increasing management overhead.**\n\n### Proposed Mitigation\n\nTo address this vulnerability, it is essential to restrict the URLs that the `MediaConnector` can access. The principle of least privilege should be applied.\n\nIt is recommend to implement a configurable **allowlist or denylist** for domains and IP addresses.\n\n* **Allowlist:** The most secure approach is to allow connections only to a predefined list of trusted domains. This could be configured via a command-line argument, such as `--allowed-media-domains`. By default, this list could be empty, forcing administrators to explicitly enable external media fetching.\n\n* **Denylist:** Alternatively, a denylist could block access to private IP address ranges (`127.0.0.1`, `10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`) and other sensitive domains.\n\nA check should be added at the beginning of the `load_from_url` methods to validate the parsed hostname against this list before any connection is made.\n\n**Example Implementation Idea:**\n\n```python\n# In MediaConnector.__init__\nself.allowed_domains = set(config.get(\"allowed_media_domains\", []))\nself.denied_ip_ranges = [ip_network(r) for r in PRIVATE_IP_RANGES]\n\n# In MediaConnector.load_from_url\nurl_spec = urlparse(url)\nhostname = url_spec.hostname\n\nif self.allowed_domains and hostname not in self.allowed_domains:\n raise ValueError(f\"Domain {hostname} is not in the allowed list.\")\n\nip_address = ip_address(socket.gethostbyname(hostname))\nif any(ip_address in network for network in self.denied_ip_ranges):\n raise ValueError(f\"Access to private IP address {ip_address} is forbidden.\")\n```\n\nBy integrating this control directly into vLLM, empower administrators to enforce security policies at the source, creating a more secure deployment by default and reducing the burden on higher-level infrastructure management.",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments