Summary
The SSRF protection fix for GHSA-qh4c-xf7m-gxfc can be bypassed in the load_from_url_async method due to inconsistent URL parsing behavior between the validation layer and the actual HTTP client.
Affected Component
- File:
vllm/connections.py
- Function:
load_from_url_async
Vulnerability Details
Root Cause
The SSRF fix uses urllib3.util.parse_url() to validate and extract the hostname from user-provided URLs. However, load_from_url_async uses aiohttp for making the actual HTTP requests, and aiohttp internally uses the yarl library for URL parsing.
These two URL parsers handle backslash characters (\) differently:
| Parser |
Input URL |
Parsed Host |
Parsed Path |
Behavior |
urllib3.parse_url() |
https://httpbin.org\@evil.com/ |
httpbin.org |
/%5C@evil.com/ |
URL-encodes \ as %5C, treats \@evil.com/ as part of the path |
yarl (via aiohttp) |
https://httpbin.org\@evil.com/ |
evil.com |
/ |
Treats \ as part of userinfo (user: httpbin.org\), the @ acts as the userinfo/host separator |
Attack Scenario
# Attacker provides this URL
malicious_url = "https://httpbin.org\\@evil.com/"
# 1. Validation layer (urllib3.parse_url)
parsed = urllib3.util.parse_url(malicious_url)
# parsed.host == "httpbin.org" ✅ Passes validation
# 2. Actual request (aiohttp with yarl)
async with aiohttp.ClientSession() as session:
async with session.get(malicious_url) as response:
# Request actually goes to evil.com! ❌ Bypass!Why This Happens
- yarl: Interprets
httpbin.org\ as the userinfo component, and @ as the userinfo/host separator, so the URL is parsed as user=httpbin.org\, host=evil.com, path=/
- urllib3: URL-encodes the backslash as
%5C, so \@evil.com/ becomes /%5C@evil.com/ which is treated as part of the path, leaving host=httpbin.org
This inconsistency allows an attacker to:
- Bypass the hostname allowlist check
- Access arbitrary internal/external services
- Perform full SSRF attacks
Fixes
References
RacerZ-fighting Reporter
russellb Coordinator
DarkLight1337 Remediation reviewer
Isotr0py Other
Summary
The SSRF protection fix for GHSA-qh4c-xf7m-gxfc can be bypassed in the
load_from_url_asyncmethod due to inconsistent URL parsing behavior between the validation layer and the actual HTTP client.Affected Component
vllm/connections.pyload_from_url_asyncVulnerability Details
Root Cause
The SSRF fix uses
urllib3.util.parse_url()to validate and extract the hostname from user-provided URLs. However,load_from_url_asyncusesaiohttpfor making the actual HTTP requests, andaiohttpinternally uses theyarllibrary for URL parsing.These two URL parsers handle backslash characters (
\) differently:urllib3.parse_url()https://httpbin.org\@evil.com/httpbin.org/%5C@evil.com/\as%5C, treats\@evil.com/as part of the pathyarl(via aiohttp)https://httpbin.org\@evil.com/evil.com/\as part of userinfo (user: httpbin.org\), the@acts as the userinfo/host separatorAttack Scenario
Why This Happens
httpbin.org\as the userinfo component, and@as the userinfo/host separator, so the URL is parsed asuser=httpbin.org\,host=evil.com,path=/%5C, so\@evil.com/becomes/%5C@evil.com/which is treated as part of the path, leavinghost=httpbin.orgThis inconsistency allows an attacker to:
Fixes
References