Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
vLLM affected by Server-Side Request Forgery (SSRF) in `download_bytes_from_url `
Vulnerability Description
vLLM is an inference and serving engine for large language models (LLMs). From 0.16.0 to before 0.19.0, a server-side request forgery (SSRF) vulnerability in download_bytes_from_url allows any actor who can control batch input JSON to make the vLLM batch runner issue arbitrary HTTP/HTTPS requests from the server, without any URL validation or domain restrictions. This can be used to target internal services (e.g. cloud metadata endpoints or internal HTTP APIs) reachable from the vLLM host. This vulnerability is fixed in 0.19.0.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
Vulnerability Type
服务端请求伪造(SSRF)
Vulnerability Title
vLLM 代码问题漏洞
Vulnerability Description
vLLM是vLLM开源的一个适用于 LLM 的高吞吐量和内存高效推理和服务引擎。 vLLM 0.16.0至0.19.0之前版本存在代码问题漏洞,该漏洞源于download_bytes_from_url函数缺少URL验证,可能导致服务端请求伪造攻击。
CVSS Information
N/A
Vulnerability Type
N/A